very odd virus/worm 3

[j0ckser]

computer=dell latidude 600
o/s=win2k build 2195 sp4

The problem ONLY occurs with one website and only with this computer (I have checked this issue with another computer - no problem):

http://www.gmail.com

- when I enter my username and p/w I get a popup warning:
header=Microsoft Internet Explorer
text=[yellow triangle warning] "Please make sure the 'Languages...' setting for your internet explorer is not empty."

If this would go away or could be closed I would put up with it for a while, but it doesn't. I can close it, but it pops right back...again...ad nauseum.

I admit to erring:
1. I was away from the internet for some time and didn't update my virus definitions prior to logging in to my email.
2. I did update my def's (AntiVir) and ran a scan after which identified the critter, and removed it, but I did not catch the name. I also ran Ad-Aware SE and X-Cleaner for extra precaution.
3. Was I in the clear? NO. It's still there, although subsequent scans by Ad-Aware, X-Cleaner and AntiVir "say" I'm clear (i.e., don't show any issue).

Attached is my Hijack log.

I have seen this affecting NO OTHER area of my surfing travels, and no other use of my computer; ODD behaviour to say the least.

Logfile of HijackThis v1.98.2
Scan saved at 13:17:58, on 05/03/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\basfipm.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\1XConfig.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\system32\DSentry.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\WINNT\system32\DrvMon.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\program files downloaded\HijackThis1982.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [URL unfurl="true"]http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html[/URL]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [URL unfurl="true"]http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com[/URL]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [URL unfurl="true"]http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com[/URL]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.54.27.103:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 100% Free Spades Toolbar Helper - {3EBD3651-4CCA-4656-9F98-BAB4B72C6031} - C:\Program Files\100% Free Spades Toolbar\v2.0.0.2\100%_Free_Spades_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: 100% Free Spades Toolbar - {00490D79-3A7F-4c8a-9E04-2BC1D89676F1} - C:\Program Files\100% Free Spades Toolbar\v2.0.0.2\100%_Free_Spades_Toolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LimeShop] wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\system32\DSentry.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [print sharing] C:\winnt\system32\msinfo\drivers\stuff\secure.bat
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCLEAN~3.EXE" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINNT\system32\DrvMon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - Trusted Zone: [URL unfurl="true"]http://www.allmusic.com[/URL]
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - [URL unfurl="true"]http://support.dell.com/systemprofiler/SysPro.CAB[/URL]
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - [URL unfurl="true"]http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab[/URL]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [URL unfurl="true"]http://chat.msn.com/controls/msnchat45.cab[/URL]

Naturally, any help would be appreciated. I will not have internet access after 7-Mar @ 10h00 EST (GMT-5) for several days and would like to fix this prior to that.

..ttfn..

per ardua ad astra

 

[pechenegs]

Is your computer running any better now?


Satrow's right. Get rid of these below!


Double-click on Killbox.exe to run it. Now put a tick by Delete on
Reboot. In the "Full Path of File to Delete" box, copy and paste each
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file on next reboot. Click
Yes. It will then ask if you want to reboot now. Click No. Continue
with that same procedure until you have copied and pasted all of
these in the "Paste Full Path of File to Delete" box.Then click yes
to reboot after you entered the last one.


Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.


C:\WINNT\system32\setoff.exe
C:\windows\java\Libparse.exe
C:\windows\java\mscmd.exe

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[j0ckser]

i have removed all that i was advised to remove.

i went to gmail, entered my u/n & p/w and lo and behold... the pop-up still lives!!!

HOWEVER

i noticed that gmail has 3 modes: standard with chat, standard, and html or basic. in desperation, i switched to basic, and TAHDAAAHHH...NO POPUP!

so...i have my problem fixed in a roundabout way, but the issue still exists, AND we now have more troubleshooting info: somehow this is related to a scripting difference between the standard with chat (i cannot switch to standard [no chat]) and basic.

if those kind folks who helped wish to pursue this further, i am 'all ears', but since i can access my gmails without any hassle i am prepared to let this thread rest.

there aren't enough stars here to thank those who contributed to my help for this issue.

per ardua ad astra

 

[satrow]

j0ckser, now that you're clean, why don't you switch to Firefox or Opera - see how they behave with gmail?

pechenegs, I'll give you a star for your skill at filtering through those logs - well done!

Andy.

 

[pechenegs]

cheers satrow!

jockser try using these tools as well!





here's some free tools to keep you from getting infected in the future.


to stop reinfection get these two tools, spywareguard and spywareblaster
from

http://www.javacoolsoftware.com/downloads.html

get the hosts file from here.Unzip it to a folder!

http://www.mvps.org/winhelp2002/hosts.htm

put it into : or click the mvps bat and it should do it for you!


Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS



ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.

https://netfiles.uiuc.edu/ehowes/www/resource.htm

http://www.winpatrol.com/winpatrol.html

Use spybot's immunize button and use spywareblaster' enable
protection once you update it. you can put spybot's hosts file into
your own and lock it.



I would also suggest switching to Mozilla's firefox browser, it's safer, has
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
e-mail client.

http://www.mozilla.org/

Another good and free browser is Opera!

http://www.opera.com/

Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html

A good overall guide for firewalls, anti-virus, and anti-trojans as well as
regular spyware cleaners.

http://www.firewallguide.com/anti-trojan.htm

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars