Hijack This Log - please help!!!!

jgetman · #1 (**permalink**) 01-07-2005, 02:41 PM

[thank you very much in advance - I just can't shake this thing]

Logfile of HijackThis v1.99.1
Scan saved at 9:43:10 AM, on 7/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\winnt\system32\zuzquraw.exe
C:\WINNT\system32\rajpnm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\urlmdll.exe
C:\WINNT\system32\actmovie.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system\wkkgtx.exe
C:\WINNT\system32\umplpapi.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\tlanglois\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [XpOpenAuto] "C:\Program Files\Belkin\Belkin 54Mbps Wireless Utility\TOOL\OpenXpAuto.exe" 979899a48a75987f6b9d86a9aa798c73837198ae83a6a498b8 78837b768a788c84
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PSof1] C:\WINNT\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [zuzquraw] c:\winnt\system32\zuzquraw.exe
O4 - HKLM\..\Run: [exp] C:\WINNT\system32\exp
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rajpnm.exe reg_run
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteztd32.exe
O4 - HKLM\..\Run: [qprW35g] urlmdll.exe
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKCU\..\Run: [bE06RRMmU] umplpapi.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0554e975...p/RdxIE601.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

HJThis · #2 (**permalink**) 01-07-2005, 05:15 PM

Hello,jgetman & Welcome

First move HijackThis to a folder in C:\Drive like so C:\HJT

now after doing that i need you to do this right away
you have a # of bad items here but you have one bad
Trojan on this PC so from this point on till we have you

all clean do not add or change any passwords it will
not help i have to go but i will be back say in about
30 or 45 Mins

but do this here right away

Go for free online Virus scans here:

http://housecall.trendmicro.com/hou.../start_corp.asp
http://www.pandasoftware.com/activescan/

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

Then right after do this here

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:
Please download ewido security suite it is a trial version of the program.

Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

Click on scanner
Make sure the following boxes are checked before scanning:
- Archives
Click on Start Scan
Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report
Save the report to your desktop

HGD

jgetman · #3 (**permalink**) 01-07-2005, 09:04 PM

I can't thank you enough for your help.

I did everything you suggested...it looks like I still have some issues, though.

Here is the ewido scan report - I will paste a new Hijack This report in the next post:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:43:06 PM, 7/1/2005
+ Report-Checksum: EAC09C76

+ Date of database: 7/1/2005
+ Version of scan engine: v3.0

+ Duration: 43 min
+ Scanned Files: 85137
+ Speed: 32.59 Files/Second
+ Infected files: 100
+ Removed files: 100
+ Files put in quarantine: 100
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINNT\system32\auto_update_uninstall.exe -> Spyware.Apropos -> Cleaned with backup
C:\WINNT\system32\supdate.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\WINNT\system32\redit.cpl -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\WINNT\system32\nsf3F.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\WINNT\system32\dist001.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\WINNT\system32\uci.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\WINNT\system32\ide21201.vxd -> Spyware.MediaPass -> Cleaned with backup
C:\WINNT\system32\installer_MARKETING49.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINNT\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\Buddy.exe -> Spyware.BetterInternet.d -> Cleaned with backup
C:\WINNT\sgvfaacd.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINNT\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\WINNT\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINNT\systb.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\WINNT\ceres.dll -> Spyware.BetterInternet.d -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@S1303 76[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@S1501 94[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@S1132 45[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@S1305 20[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@S1303 46[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@S1303 43[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@S1488 89[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@S1423 78[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@sdc.s hockwave[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temp\ptf_0015.exe -> Spyware.Pacer -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temp\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temp\installer_MARKETING49 -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temp\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temp\ptf_0002.exe -> Spyware.Pacer -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar.q -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temp\ptf_0006.exe -> Spyware.Pacer -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temp\nst68.EXE -> Spyware.SmartPops -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temp\MediaAccessInstPack.exe -> Spyware.WinAD -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temp\AutoUpdate0\auto_update_install.exe -> Spyware.POP.dl -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temp\DrTemp\ceres.dll -> Spyware.BetterInternet.d -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temp\ptf_0009.exe -> Spyware.Pacer -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temporary Internet Files\Content.IE5\O1EF4HIJ\thnall5c[1].exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temporary Internet Files\Content.IE5\CDYNSTUV\trk_0006[1].exe -> Spyware.Pacer -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temporary Internet Files\Content.IE5\SPA38XIZ\trk_0002[1].exe -> Spyware.Pacer -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temporary Internet Files\Content.IE5\CHIBWXIF\trk_0015[1].exe -> Spyware.Pacer.e -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temporary Internet Files\Content.IE5\C5KVSVC7\abiuninst[1].exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temporary Internet Files\Content.IE5\BQSBVTOD\inst4[1].exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temporary Internet Files\Content.IE5\BQSBVTOD\inst5[1].exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temporary Internet Files\Content.IE5\BQSBVTOD\inst13[1].exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temporary Internet Files\Content.IE5\UTRGDW36\wupdt[1].exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temporary Internet Files\Content.IE5\S1EN0PQJ\trk_0009[1].exe -> Spyware.Pacer -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temporary Internet Files\Content.IE5\ONH36IRL\inst18[1].exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Documents and Settings\tlanglois\Local Settings\Temporary Internet Files\Content.IE5\ONH36IRL\inst15[1].exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Documents and Settings\tlanglois\Desktop\backups\backup-20050624-183532-820.dll -> Spyware.BetterInternet.d -> Cleaned with backup
C:\Documents and Settings\tlanglois\Desktop\backups\backup-20050701-091507-262.dll -> Spyware.BetterInternet.d -> Cleaned with backup
C:\Documents and Settings\tlanglois\Desktop\backups\backup-20050701-091507-380.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@a.websponsors[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@7712622[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@62672927[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@servedby.adve rtising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@www.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@realguide.rea l[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@statse.webtre ndslive[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@gostats[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@c2.gostats[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@link[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@dcs9my07lwiev vreitvlspczt_4r2b[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@a.websponsors[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@overture[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@dcsi5li0l4twk fngxulmkxj49_6k2e[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@dcs9my07lwiev vreitvlspczt_4r2b[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@dcsn3p5o3oifw zbe6xmxkntlx_9x5b[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@burstnet[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@perf.overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@ehg-dig.hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@targetnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@www.myaffilia teprogram[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@www.eadexchan ge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@www.shopathom eselect[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@ehg-stampsdotcom.hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@ads.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\tlanglois\Cookies\tlanglois@ehg-bskyb.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Program Files\CasStub\casstub.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\Program Files\AutoUpdate\AutoUpdate.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup

::Report End

jgetman · #4 (**permalink**) 01-07-2005, 09:05 PM

and here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:07:35 PM, on 7/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\winnt\system32\zuzquraw.exe
C:\WINNT\system32\rajpnm.exe
C:\WINNT\system32\urlmdll.exe
C:\WINNT\system32\umplpapi.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\WINNT\system32\actmovie.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [XpOpenAuto] "C:\Program Files\Belkin\Belkin 54Mbps Wireless Utility\TOOL\OpenXpAuto.exe" 979899a48a75987f6b9d86a9aa798c73837198ae83a6a498b8 78837b768a788c84
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PSof1] C:\WINNT\system32\PSof1.exe
O4 - HKLM\..\Run: [zuzquraw] c:\winnt\system32\zuzquraw.exe
O4 - HKLM\..\Run: [exp] C:\WINNT\system32\exp
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rajpnm.exe reg_run
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteztd32.exe
O4 - HKLM\..\Run: [qprW35g] urlmdll.exe
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKCU\..\Run: [bE06RRMmU] umplpapi.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0554e975...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

HJThis · #5 (**permalink**) 01-07-2005, 09:23 PM

Hi,jgetman

Please Download FindQoologic-Narrator.zip save it to your Desktop:
http://forums.net-integration.net/i...=post&id=134981

Do not run the above file just yet

you are going to do this one here first

Please download miekiemoes' LQfix batch here:
http://www.downloads.subratam.org/LQfix.zip
Unzip it to the desktop but do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please run LQfix.bat. When finished, restart your computer in normal mode and Then run this file here

Extract (unzip) the files inside into their own folder called FindQoologic.
In the FindQoologic folder, please locate and double-click the Find-Qoologic.bat file to run it.
After a short time, Notepad will open. Please copy and paste the text in Notepad in your next post along with a new HijackThis log. Thanks!

HGD

HJThis · #6 (**permalink**) 01-07-2005, 10:15 PM

Hi,jgetman

Sorry i just run a test on this here
try this link but do as posted above run the first file
then after the reboot do this here

Please Download FindQoologic-Narrator.zip save it to your Desktop:
http://forums.net-integration.net/in...post&id=134981

Extract (unzip) the files inside into their own folder called FindQoologic.
In the FindQoologic folder, please locate and double-click the Find-Qoologic.bat file to run it.
After a short time, Notepad will open. Please copy and paste the text in Notepad in your next post along with a new HijackThis log. Thanks!

HGD

jgetman · #7 (**permalink**) 01-07-2005, 10:39 PM

I tried running Find-Qoologic, but I get an error message that says:

"c: \winnt\system32\autoexec.nt. The system file is not suitable for running MS-DOS and Microsoft Windows applications"

It created a log - I'm not sure it says much:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85510

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Microsoft Office.lnk
RtlWake.lnk
Adobe Gamma Loader.exe.lnk
Adobe Gamma Loader.lnk
eFax DllCmd 3.5.lnk
eFax Tray Menu 3.5.lnk
naki.exe

User Startup:
C:\Documents and Settings\tlanglois\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

jgetman · #8 (**permalink**) 01-07-2005, 10:40 PM

...and here's the latest HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 5:42:31 PM, on 7/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\winnt\system32\zuzquraw.exe
C:\WINNT\system32\rajpnm.exe
C:\WINNT\system32\urlmdll.exe
C:\WINNT\system32\umplpapi.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\WINNT\system32\actmovie.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [XpOpenAuto] "C:\Program Files\Belkin\Belkin 54Mbps Wireless Utility\TOOL\OpenXpAuto.exe" 979899a48a75987f6b9d86a9aa798c73837198ae83a6a498b8 78837b768a788c84
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PSof1] C:\WINNT\system32\PSof1.exe
O4 - HKLM\..\Run: [zuzquraw] c:\winnt\system32\zuzquraw.exe
O4 - HKLM\..\Run: [exp] C:\WINNT\system32\exp
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rajpnm.exe reg_run
O4 - HKLM\..\Run: [qprW35g] urlmdll.exe
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKCU\..\Run: [bE06RRMmU] umplpapi.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0554e975...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

HJThis · #9 (**permalink**) 01-07-2005, 10:49 PM

Hi,jgetman

Sorry about that give this a try

Please Download RKFiles.zip

Create a new folder C:\Antispyware\RKFiles
Extract the contents of RKFiles.zip into the new folder you just created.

Restart to safe mode

Open the C:\Antispyware\RKFiles folder
Double click on RKFILES.BAT

Give it time to run. this may take a while.
Save the text file it creates.
It should save by default to C:\Log.txt

Restart into regular Windows mode and post the contents of C:\log.txt

HGD

jgetman · #10 (**permalink**) 02-07-2005, 12:19 AM

Here's that log -

C:\Antispyware\RKFiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\zuzquraw.exe: UPX!

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINNT\daemon.dll: UPX!
C:\WINNT\vsapi32.dll: UPX!t4
C:\WINNT\tsc.exe: UPX!
Finished
bye