adware.iefeats

soboyle · Jan 18, 2006

I have a computer that has a stubborn adware, or whatever it is. Symantec sees it but doenst seem to be cleaning it.
It has a scrolling bar at the top of the screen that pops down and says "Warning your computer is infected, press here for help".

I am on a domain here, so when I reboot into safe mode I have to log in as a different user (unless I boot into safe mode with networking), not sure if that make this harder or not.
here is the hijackthis log I just ran on this computer. I'm open for suggestions.

Logfile of HijackThis v1.99.1
Scan saved at 4:09:41 PM, on 1/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\CFdesign70\cfdserv7.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PTC\flexlm\i486_nt\obj\lmgrd.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\3DLman.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\DOCUME~1\ADMINI~1.FTI\LOCALS~1\Temp\15.tmp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\PTC\flexlm\i486_nt\obj\ptc_d.exe
C:\WINNT\system32\cmd.exe
C:\ptc\wildfire2\i486_nt\nms\nmsd.exe
C:\hjt\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINNT\System32\3DLman.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [15.tmp] C:\DOCUME~1\ADMINI~1.FTI\LOCALS~1\Temp\15.tmp.exe
O4 - HKLM\..\Run: [15.tmp.exe] C:\DOCUME~1\ADMINI~1.FTI\LOCALS~1\Temp\15.tmp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00084\gd-dial.exe -remove
O4 - HKCU\..\Run: [0ymxz8fvx5] C:\WINNT\79gayw5ubs.exe
O4 - HKCU\..\Run: [diym89odfg] C:\WINNT\rldonld0hs.exe
O4 - HKCU\..\Run: [agv1vh2f4m] C:\WINNT\e0vjnfpuw7.exe
O4 - HKCU\..\Run: [vxm4cpjoob] C:\WINNT\wwo1obk2wu.exe
O4 - HKCU\..\Run: [6scay4igia] C:\WINNT\a2u0g779u1.exe
O4 - HKCU\..\Run: [tnwgoim3je] C:\WINNT\x4nvl829ro.exe
O4 - HKCU\..\Run: [k9ubb4n53e] C:\WINNT\66cz5ss8rg.exe
O4 - HKCU\..\Run: [ud13huo460] C:\WINNT\v2nhl9ah14.exe
O4 - HKCU\..\Run: [0p7lkcdc5c] C:\WINNT\n9tii39u71.exe
O4 - HKCU\..\Run: [5nalexdt65] C:\WINNT\7cgamzrdot.exe
O4 - HKCU\..\Run: [hiu06he23j] C:\WINNT\ypoy4jwvvk.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.0] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fti-cvt.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{52980496-90FB-491F-A020-D6BB8B9CF622}: NameServer = 192.168.0.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fti-cvt.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fti-cvt.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cfd Server 7 - Unknown owner - C:\CFdesign70\cfdserv7.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\PTC\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

pechenegs · Jan 18, 2006

Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php

* Click here to download smitRem.zip.

http://noahdfear.geekstogo.com/click counter/click.php?id=1

* Save the file to your desktop.
* Unzip smitRem.zip to extract the two files it contains.
* Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

*Download Cleanup from Here

http://www.stevengould.org/software/cleanup/download.html

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set
when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET

* Download the trial version of Ewido Security Suite.

http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install
background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to
the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.

* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/

2001052409420406?OpenDocument&src=sec_doc_nam

* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in
safe mode:

* Run Hijack This again and put a check by these. Close ALL windows except
HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [15.tmp] C:\DOCUME~1\ADMINI~1.FTI\LOCALS~1\Temp\15.tmp.exe
O4 - HKLM\..\Run: [15.tmp.exe] C:\DOCUME~1\ADMINI~1.FTI\LOCALS~1\Temp\15.tmp.exe
O4 - HKCU\..\Run: [sws.exe] c:\program
files\GlobalDialer\domer00084\gd-dial.exe -remove
O4 - HKCU\..\Run: [0ymxz8fvx5] C:\WINNT\79gayw5ubs.exe
O4 - HKCU\..\Run: [diym89odfg] C:\WINNT\rldonld0hs.exe
O4 - HKCU\..\Run: [agv1vh2f4m] C:\WINNT\e0vjnfpuw7.exe
O4 - HKCU\..\Run: [vxm4cpjoob] C:\WINNT\wwo1obk2wu.exe
O4 - HKCU\..\Run: [6scay4igia] C:\WINNT\a2u0g779u1.exe
O4 - HKCU\..\Run: [tnwgoim3je] C:\WINNT\x4nvl829ro.exe
O4 - HKCU\..\Run: [k9ubb4n53e] C:\WINNT\66cz5ss8rg.exe
O4 - HKCU\..\Run: [ud13huo460] C:\WINNT\v2nhl9ah14.exe
O4 - HKCU\..\Run: [0p7lkcdc5c] C:\WINNT\n9tii39u71.exe
O4 - HKCU\..\Run: [5nalexdt65] C:\WINNT\7cgamzrdot.exe
O4 - HKCU\..\Run: [hiu06he23j] C:\WINNT\ypoy4jwvvk.exe

Double-click on Killbox.exe to run it. Now put a tick by Standard File
Kill.
In the Full Path of File to Delete box, copy and paste each of the
following lines one at a time then click on the button that has the red
circle with the X in the middle after you enter each file. It will ask for
confirmation to delete the file. Click Yes. Continue with that same
procedure until you have copied and pasted all of these in the Paste Full
Path of File to Delete box.

Note: It is possible that Killbox will tell you that one or more files do
not exist. If that happens, just continue on with all the files. Be sure
you don't miss any.

C:\DOCUME~1\ADMINI~1.FTI\LOCALS~1\Temp\15.tmp.exe
c:\program files\GlobalDialer\domer00084\gd-dial.exe
C:\WINNT\79gayw5ubs.exe
C:\WINNT\rldonld0hs.exe
C:\WINNT\e0vjnfpuw7.exe
C:\WINNT\wwo1obk2wu.exe
C:\WINNT\a2u0g779u1.exe
C:\WINNT\x4nvl829ro.exe
C:\WINNT\66cz5ss8rg.exe
C:\WINNT\v2nhl9ah14.exe
C:\WINNT\n9tii39u71.exe
C:\WINNT\7cgamzrdot.exe
C:\WINNT\ypoy4jwvvk.exe

* Open the smitRem folder, then double click the RunThis.bat file to start
the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.

* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click
the Save report button.
* Save the report to your desktop

* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.

* Go to Control Panel > Internet Options. Click on the Programs tab then
click the "Reset Web Settings" button. Click Apply then OK.

* Next go to Control Panel > Display. Click on the "Desktop" tab then click
the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages"
you should see an entry checked called something like "Security info" or
similar.
If it is there, select that entry and click the "Delete" button. Click OK
then Apply and OK.

* Restart back into Windows normally now.

Run an online antivirus check from

http://www.kaspersky.com/virusscanner

* Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.

- Save the results from the scan!

post another hijack this log, the ewido and active scan logs and
the contents of smitfiles.txt from the smitRem folder

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

erikhertzel · Jan 18, 2006

I just had this problem two nights ago....you need to do the following:

Download Webroot Spysweeper and hit it with that:

http://www.webroot.com/consumer/downloads/

This is a trial, but will fully function for what you need to do.

Update it and then do a sweep.

Also do the following:

http://housecall.trendmicro.com/

Hope this helps,

Erik

soboyle · Jan 18, 2006

OK, I ran through all the instruction mentioned above, here are the new log
files. I'll now run the suggestions that Eric mentioned

Activescan:
Incident Status Location

Adware:adware/searchaid
Not disinfected
C:\WINNT\SYSTEM32\sdkyt32.exe
Potentially unwanted tool:Application/Processor
Not disinfected
C:\Documents and Settings\koelbel\Desktop\antivirus\smitRem\Process.exe
Potentially unwanted tool:Application/Processor
Not disinfected
C:\Documents and
Settings\koelbel\Desktop\antivirus\smitRem.exe [ Process.exe
]
Potentially unwanted tool:Application/Processor
Not disinfected
C:\Documents and
Settings\koelbel\Desktop\paul\smitRem\Process.exe
Potentially unwanted tool:Application/Processor
Not disinfected
C:\Documents and
Settings\koelbel\Desktop\paul\smitRem.exe [ Process.exe ]
Potentially unwanted tool:Application/Processor
Not disinfected
C:\users\koelbel\paul\smitrem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor
Not disinfected C:\users\koelbel\paul\smitRem.exe [ Process.exe ]

Kaspersky:
--------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, January 18, 2006 11:49:34
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 18/01/2006
Kaspersky Anti-Virus database records: 161292
-----------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINNT
C:\DOCUME~1\koelbel\LOCALS~1\Temp
Scan Statistics:
Total number of scanned objects: 9651
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 1116 sec

Infected Object Name - Virus Name
C:\WINNT\_MSRSTRT.EXE:difomo:$DATA
Infected: Trojan-Downloader.Win32.Agent.td

Scan process completed.

Ewido:
----------------------------------------------
ewido anti-malware - Scan report
----------------------------------------------

+ Created on: 11:08:33 AM, 1/18/2006
+ Report-Checksum: 1377EC51
+ Scan result:

C:\Documents and Settings\koelbel\Cookies\koelbel@2o7 [ 1 ] .txt ->
Spyware.Cookie.2o7 : Cleaned with backup

::Report End

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 2:11:23 PM, on 1/18/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client
Firewall\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\CFdesign70\cfdserv7.exe
C:\Program Files\Symantec Client Security\Symantec
AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PTC\flexlm\i486_nt\obj\lmgrd.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec
AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec Client Security\Symantec
AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client
Firewall\SymSPort.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\3DLman.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PTC\flexlm\i486_nt\obj\ptc_d.exe
C:\WINNT\System32\svchost.exe
C:\Documents and
Settings\koelbel\Desktop\antivirus\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F}
- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class -
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class -
{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio -
{8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF -
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe
/logon
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager]
C:\WINNT\System32\3DLman.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet
Explorer\iexplore.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program
Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray]
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.0] C:\Program
Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk =
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe
PDF - res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to
existing PDF - res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to
Adobe PDF - res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to
existing PDF - res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF
- res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing
PDF - res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF -
res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}
(CKAVWebScan Object) -

http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
(ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
fti-cvt.local
O17 -
HKLM\System\CCS\Services\Tcpip\..\{52980496-90FB-491F-A020-D6BB8B9CF622}:
NameServer = 192.168.0.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
fti-cvt.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
fti-cvt.local
O20 - Winlogon Notify: NavLogon -
C:\WINNT\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program
Files\Common Files\Adobe Systems
Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cfd Server 7 - Unknown owner -
C:\CFdesign70\cfdserv7.exe
O23 - Service: Symantec AntiVirus Definition Watcher
(DefWatch) - Symantec Corporation - C:\Program
Files\Symantec Client Security\Symantec
AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service
(dmadmin) - VERITAS Software Corp. -
C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks
- C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: FLEXlm server for PTC - Macrovision
Corporation - C:\PTC\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Groove Installer Service
(GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove
Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation -
C:\Program Files\Symantec Client Security\Symantec Client
Firewall\ISSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program
Files\Symantec Client Security\Symantec
AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation -
C:\Program Files\Symantec Client Security\Symantec
AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) -
Symantec Corporation - C:\Program Files\Symantec Client
Security\Symantec Client Firewall\SymSPort.exe

soboyle · Jan 18, 2006

Erik
I ran Spy Sweeper, it found 2 items, fastlook hijacker and searchv hijacker. Do I need to purchase spysweeper to clean these, or is there a better way?

Shaun

erikhertzel · Jan 18, 2006

You should be able to use the trial version to clean them without having to purchase the item (it's a 14 day trial), I think.

erikhertzel · Jan 18, 2006

You have look here:

http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/Spy-Sweeper.shtml

Download that version and it should work when you uninstall the version you have and install this one.

Erik

soboyle · Jan 18, 2006

Erik, Thanks, I was able to remove those threats. Any feedback on the latest HijackThis log?

erikhertzel · Jan 18, 2006

I would remove the following:

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe

Other than that...should be good to go.

Hope it helped

Erik

pechenegs · Jan 18, 2006

put these through the killbox!

C:\WINNT\_MSRSTRT.EXE:difomo:$DATA
C:\WINNT\SYSTEM32\sdkyt32.exe

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

soboyle · Jan 19, 2006

Ok, one more copy of the HijackThis log, anything else to clean?
And more importantly what can I do to prevent further infections?

Logfile of HijackThis v1.99.1
Scan saved at 8:23:34 AM, on 1/19/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\CFdesign70\cfdserv7.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\3DLman.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PTC\flexlm\i486_nt\obj\lmgrd.exe
C:\PTC\flexlm\i486_nt\obj\ptc_d.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\koelbel\Desktop\antivirus\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINNT\System32\3DLman.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fti-cvt.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{52980496-90FB-491F-A020-D6BB8B9CF622}: NameServer = 192.168.0.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fti-cvt.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fti-cvt.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cfd Server 7 - Unknown owner - C:\CFdesign70\cfdserv7.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\PTC\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

erikhertzel · Jan 19, 2006

-Use Firefox as your browser if possible...
-Use the host file provided here:

http://www.mvps.org/winhelp2002/hosts.htm

-Use spywareblaster:

http://www.javacoolsoftware.com/spywareblaster.html

Use a good firewall and antivirus, etc...and run scans on a regular basis.

Erik

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

adware.iefeats

soboyle

Technical User

pechenegs

MIS

erikhertzel

MIS

soboyle

Technical User

soboyle

Technical User

erikhertzel

MIS

erikhertzel

MIS

soboyle

Technical User

erikhertzel

MIS

pechenegs

MIS

soboyle

Technical User

erikhertzel

MIS

Similar threads

Part and Inventory Search

Sponsor