Hijacked by eSearch, Highjack This log attached.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by monsieur42, Jul 21, 2004.

  1. monsieur42

    monsieur42 Private E-2

    Hi,
    I have been highjacked by a malware that keeps re-directing my Internet web page to a search engine page called eSearch. This looks pretty much like Coolweb stuff except for the name. I had Coolweb before and was able to get rid of it either with Coolweb Shredder or by doing a restore point. None of this works this time (my computer refuses to restore to an earlier date). I ran Norton AV 2003, Ad-aware, Spybot, CWShredder, SpyBlaster and Highjack This (in this order).
    My Highjack this log is the following (It is clear what lines are showing eSearch. Is it safe to get Highjack This to fix them? Is there anything else that needs fixing?):

    Logfile of HijackThis v1.98.0
    Scan saved at 16:39:57, on 2004-07-21
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Applications\Winamp\Winampa.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\hphmon05.exe
    D:\Applications\Deamon\daemon.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Wacom\TabUserW.exe
    D:\Applications\Webshots\WebshotsTray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jean\Local Settings\Temp\HijackThis.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.esearch.cc/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.esearch.cc/s.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.esearch.cc/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.esearch.cc/    R3 - Default URLSearchHook is missing
    O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - D:\Applications\Poppup killer\Popup Manager\PopupMgr_1.0.1.5.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\APPLIC~1\spyware\SPYBOT~1\SDHelper.dll
    O2 - BHO: Shorty - {5C472352-90D0-4214-BF20-8E4A2B82F980} - C:\WINDOWS\win32app.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [WinampAgent] "D:\Applications\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "D:\applications\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Applications\Deamon\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
    O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
    O4 - HKCU\..\Run: [SpyKiller] D:\Applications\Spykiller\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
    O4 - Startup: Webshots.lnk = D:\Applications\Webshots\WebshotsTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
    O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
    O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
    O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\windows\system32\setup1.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\poste\Local Settings\Temp\EI40_\msxml4.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab


    Thanks for your support.


    Monsieur42. :rolleyes: :rolleyes:
     
    monsieur42, Jul 21, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    I dont know where to begin with you :)

    All Hijack This logs demand an explanation of your symptoms and what you have done so far. Have you run Ad-Aware, CWSHredder, Spybot. Have you read the Hijack This tutorial, especially where it says to close all running programs (you have Adaptec, Nortons, Hewlett Packard and others running) as well as removed what you do not recognize? This makes it easier for us to scan your log for problems.

    You can remove
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.esearch.cc/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.esearch.cc/s.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.esearch.cc/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.esearch.cc/R3 - Default URLSearchHook is missing

    But they may come back if you did not use the above tools. Check back with us on where your at.
     
    Major Attitude, Jul 21, 2004
    #2
  3. monsieur42

    monsieur42 Private E-2

    Hi Major,
    Thanks for a quick reply,
    I got the culprit items fixed on the 1st scan, but as you suspected, they came back.

    I shutdown everything I could and rescanned. Th 2nd Hijack This log is below at the end of this e-mail.

    Some more details about the problem and what I have tried:

    Problem: eSearch shows up as my undesired web home page. If I reset it to my desired home page, «i get my proper homepage on the next reboot but in the internet Tools options, my homepage is changed to eSearch. Therefore, the next time I click the homepage Icon or re-boot, I am directed to the eSearch page.

    What I have done:
    1-Ran Norton AV: found a backdoor Trojan in the restore files. I deactivated the Windows restore point system.
    2-Updated and Ran Ad-aware, found a few things initially, including some coolweb stuff. Made the clean-up and all Ad-aware scans are now coming clean.
    3- Downloaded, updated and ran Spybot. Found some more stuff, cleaned up and all Spybot scans are now coming clean.
    4- Updated and ran CWShredder, found Winshow, cleaned up and all CWshredder scans are now coming clean.
    5- Downloaded and installed SpywareBlaster (this provides some protection but does not scan neither fix anything)
    6-Downloaded Hijack This and here I am. Read a lot on forums, a lot of similar problems but never 2 just the same.

    Here is the latest log:

    Logfile of HijackThis v1.98.0
    Scan saved at 17:55:51, on 2004-07-21
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Applications\Winamp\Winampa.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\hphmon05.exe
    D:\Applications\Deamon\daemon.exe
    C:\Program Files\Wacom\TabUserW.exe
    D:\Applications\Webshots\WebshotsTray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\HPZipm12.exe
    D:\APPLIC~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Jean\Local Settings\Temp\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.esearch.cc/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.esearch.cc/s.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.esearch.cc/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.esearch.cc/
    R3 - Default URLSearchHook is missing
    O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - D:\Applications\Poppup killer\Popup Manager\PopupMgr_1.0.1.5.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\APPLIC~1\spyware\SPYBOT~1\SDHelper.dll
    O2 - BHO: Shorty - {5C472352-90D0-4214-BF20-8E4A2B82F980} - C:\WINDOWS\win32app.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [WinampAgent] "D:\Applications\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "D:\applications\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Applications\Deamon\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
    O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
    O4 - HKCU\..\Run: [SpyKiller] D:\Applications\Spykiller\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
    O4 - Startup: Webshots.lnk = D:\Applications\Webshots\WebshotsTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
    O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
    O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
    O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\windows\system32\setup1.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\poste\Local Settings\Temp\EI40_\msxml4.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab


    Thanks again.

    Monsieur42.
     
    monsieur42, Jul 21, 2004
    #3
  4. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Ok, Chaslang may know more then me, but have you run in safe mode? Have you checked your startup for items loading something you do not recognize. Thats a common way if they come back. But, if your not in safe mode, they will come back. If you can find an item in startup, uncheck it and delete the file that is loading it.

    So, get to safe mode, check the startup (start, run, type in msconfig) and run your tools again. Also, disable system restore if your using it.

    Also, take a few minutes to read the Hijack This tutorial, updated today. I think you will be suprised how small this log file could be if you followed those directions, closing running programs and removing some things yourself per the directions. :)
     
    Major Attitude, Jul 21, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have some trojans in your log (sxvhost.exe is not a valid application).
    Try some online scans:
    http://housecall.trendmicro.com/housecall/start_corp.asp select Auto Clean
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    Also run:
    avast! Virus Cleaner Tool:http://www.majorgeeks.com/download4188.html
    McAfee Stinger Avert: http://www.majorgeeks.com/download4063.html

    Also, Uninstall SpyKiller it is on our list of fake spyware removal tools. See this link:
    http://forums.majorgeeks.com/showthread.php?t=33977&page=2&pp=20

    After the above (as Major suggested) shut down some un-necessary stuff before making another log. You can start stuff up after you make the log and before you connect to the internet again.
     
    chaslang, Jul 21, 2004
    #5
  6. monsieur42

    monsieur42 Private E-2

    OK,
    here is an interim report.
    I ran all the virus scans suggested. No one picked on sxvhost.exe as an hostile file. In the process, I deleted 2 infected files that could not be cleaned. I hope I did not delete anything important. My next step is to start-up in safe mode and run a new Hijack This scan from there. So, if you do not hear from me in the next 24 hrs, it is because I could not reboot properly or I lost my Internet connection. This is what the various scans found:

    From Trend Micro: 2 files were identified as infected but could not be cleaned by their tool. Since I had the option to delete them, I took a chance and did delete them both. Hopefully, everything will still run smooth when I reboot.

    1) HTML ADVER.A C:\Windows\system32\securityID=816093-MS03-011&privacyAPI32=x401.html

    2) TROJ STARTPAG.GH C:\Windows\win.exe


    From Panda ActiveScan: disinfected 2 occurrences of the following:

    Virus:Exploit/URLSpoof C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\YVC03280\bzbjr[1].htm



    From Avast Virus cleaner:

    avast! Virus Cleaner Tool - version 1.0.197 Unicode

    Creating log file: D:\Applications\Avast virus scan\aswclnr.log

    2004-07-21, 22:31:01
    Memory scanning started...
    No virus body found in memory.
    Memory scanning finished (59,5s).
    ----------
    Files scanning started...
    C:\Documents and Settings\Jean\Local Settings\Temp\~DF917D.tmp... file could not be scanned!
    C:\Documents and Settings\Jean\Local Settings\Temp\~DF9192.tmp... file could not be scanned!
    C:\Documents and Settings\Jean\Local Settings\Temp\~DFB75C.tmp... file could not be scanned!
    C:\Documents and Settings\Jean\Local Settings\Temp\~DFC325.tmp... file could not be scanned!
    No virus body found.
    Files scanning finished (125356 files, 0 infected, 2156,6s).
    Drives scanned: C: D: E:
    ----------
    Registry scanning started...
    Reference to virus found in registry: HKLM:Software\Classes\txtfile\shell\open\command... item fixed.
    Registry scanning finished (8,3s).

    From McAfee Stinger Avert: nothing was found.


    By the way, I would not mind to read the Tutorial for Hijack This, if someone would tell me where I will find it.


    See you soon (I hope)

    Monsieur42.
     
    monsieur42, Jul 21, 2004
    #6
  7. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Hijack This tutorial is stuck to the top of this forum, streamlined and simplified today even:
    http://forums.majorgeeks.com/showthread.php?t=35407

    Theres a lot going on here, let me cover a couple of things that stand out big time.

    The win.exe worries me that its tagged as a virus, Stinger should cover that.
    Found few references to it all saying it was a known virus and your antivirus program should clean it.

    Next thing is these: C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\YVC03280\bzbjr[1].htm. Thats temporary internet files and should be cleaned regulalry. Try CCleaner from our drives section. I always clean before a virus or spyware scan. That alone would have eliminated most of your post :)


    As Chaslang said, the sxvhost.exe is a virus and needs to be removed the hard way, done this twice this week. Go into safe mode, make sure its not running by pressing ctrl, alt and delete and checking processes for the filename sxvhost.exe and then uncheck it from startup. My friends AVG caught it but could not delete it, probably because it is running, thats why the extra hassle. So, if you try this from a regular windows session (not safe mode) it will come back immediately. Only thing is that his trojans usually comes in two's :( I see your running Nortons, it either failed you or is not up to date. Lets get rid of it, maybe try AVG, it will at least alert you of these so you can delete them as I just described.


    Must sleep soon, maight be it for me for tonight, but you have enough to keep you busy :) As a side note, do you chat online much? I have reason to suspect your getting trojans from irc or another chat program. This is something to consider, especially since I do not see a firewall running on your machine, your wide open to every kiddie hacker out there. Consider Zone Alarm Free in our firewall section.
     
    Last edited: Jul 22, 2004
    Major Attitude, Jul 22, 2004
    #7
  8. monsieur42

    monsieur42 Private E-2

    Now after a safe mode start, below is the log that I got from Hijack This. Beats me why there is still a line that shows Spy Killer on the D: drive, I deleted all the folder before the safe mode start. And by the way, my homepage problem is still there but it seems that it did not load it-self during the safe mode start-up. Something else is active in normal mode to load it.
    (sorry if the log is still long, I still did not find out where is the tutorial mentionned in previous messages).


    Logfile of HijackThis v1.98.0
    Scan saved at 00:20:59, on 2004-07-22
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    D:\Applications\Highjack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca
    R3 - Default URLSearchHook is missing
    O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - D:\Applications\Poppup killer\Popup Manager\PopupMgr_1.0.1.5.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\APPLIC~1\spyware\SPYBOT~1\SDHelper.dll
    O2 - BHO: Shorty - {5C472352-90D0-4214-BF20-8E4A2B82F980} - C:\WINDOWS\win32app.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [WinampAgent] "D:\Applications\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "D:\applications\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Applications\Deamon\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
    O4 - HKCU\..\Run: [SpyKiller] D:\Applications\Spykiller\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
    O4 - Startup: Webshots.lnk = D:\Applications\Webshots\WebshotsTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
    O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
    O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
    O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\windows\system32\setup1.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\poste\Local Settings\Temp\EI40_\msxml4.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab



    Monsieur42.
     
    monsieur42, Jul 22, 2004
    #8
  9. monsieur42

    monsieur42 Private E-2

    OK, OK, I found the tutorial. I am going right there to have a thourough education.

    Monsieur42.
     
    monsieur42, Jul 22, 2004
    #9
  10. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    I placed a link above to Hijack This tutorial while you were typing it appears, so I will leave you be as you need to work on my post above to get rid of that trojan.. I think you beat the hijack though, the log file is looking better.

    O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe

    I have to ask Chaslang about this one, it smells fishy:

    O16 - DPF: {13112111-1224-1141-1451-111111113533} -
    file://c:\windows\system32\setup1.exe

    As I said before, usually this trojan I saw comes in 2's, I suspect setup1.exe and sxvhost.exe, both in Windows\system32 are the trojans. Bet if your in safe mode and check startup that they are being run in there, once deleted and removed from startup, trojan problem gone.

    When your done, try Firefox, in our browsers section. Bit safer then Internet Explorer and looks similar.
     
    Last edited: Jul 22, 2004
    Major Attitude, Jul 22, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes, that O16 line must go. In fact, I have seen it a couple of times in a few other logs that also had esearch hijack problems. There could be a relationship or it could just be a coincedence.
     
    chaslang, Jul 22, 2004
    #11
  12. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    That would be good to know where it comes from. If you read my post a couple up about my friend who got it and how I removed it manually. AVG tagged it, but could not remove, its another safe mode issue. Other known names are often used, I think tonights was ipconfigs.exe. I think he got it from a chat room. I actually edited the post above to reflect my thoughts it was to be deleted, sorry for the slow reply. As I said, I keep seeing it in 2's, all in windows\system32\ all using similar names to known required Windows Executables.
     
    Major Attitude, Jul 22, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you uninstall SpyKiller via Add/Remove programs or did you just delete their folder. The latter method is not the correct way. It should only be used when there is no way to uninstall the program properly. At an rate you should just have HijackThis fix the following:

    O4 - HKCU\..\Run: [SpyKiller] D:\Applications\Spykiller\SpyKiller\spykiller.exe /startup

    After fixing this line and the O16 line Major (and I) mentioned, show us a normal boot mode log.
     
    chaslang, Jul 22, 2004
    #13
  14. monsieur42

    monsieur42 Private E-2

    OUF!
    I think that I managed to fix the problem, thanks to your help and the tutorial.
    The culprit seemed to be a BHO called Shorty. It was not in the list of valid BHO provided in the tutorial.
    During my trouble-shooting, I cleaned-up several things, one at a time, to see if anyone in particular would be effective or create a problem after deletion.
    I deleted qttask.exe, sxvhost.exe, Spykiller and finally, the BHO Shorty. See the previous scans to see the full signature of this bad BHO. As soon as the BHO Shorty was deleted, the problem disappeared.

    (To answer the previous message question, I cleaned Spykiller using Hijack This. Previously, I had deleted the folders but they were empty except for an old log file. I suppose I had uninstalled the program already, a long time ago. I did not even remember I had installed this program in the past.)

    Now, I don't want to celebrate victory to quickly but my homepage is now what I want it to be and it has been stable after 3 reboot and 3 surfing sessions on Internet.

    There are a few other things left in my Hijack This Log that the tutorial recommends that I delete but I'd rather not, if everything is working fine now.

    In case it would be of any help to others, here is my log after the problem was fixed.

    Logfile of HijackThis v1.98.0
    Scan saved at 02:16:33, on 2004-07-22
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Applications\Winamp\Winampa.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\hphmon05.exe
    D:\Applications\Deamon\daemon.exe
    C:\Program Files\Wacom\TabUserW.exe
    D:\Applications\Webshots\WebshotsTray.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    D:\Applications\Highjack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
    O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - D:\Applications\Poppup killer\Popup Manager\PopupMgr_1.0.1.5.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\APPLIC~1\spyware\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [WinampAgent] "D:\Applications\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Applications\Deamon\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
    O4 - Startup: Webshots.lnk = D:\Applications\Webshots\WebshotsTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
    O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
    O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
    O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\windows\system32\setup1.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\poste\Local Settings\Temp\EI40_\msxml4.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab


    Thanks again for your help....and the tutorial.

    Monsieur42.
     
    monsieur42, Jul 22, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounds good but I still don't like this line:
    O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\windows\system32\setup1.exe
     
    chaslang, Jul 22, 2004
    #15
  16. monsieur42

    monsieur42 Private E-2

    I agree, this line

    O16 - DPF: {13112111-1224-1141-1451-111111113533} -file://c:\windows\system32\setup1.exe

    looks suspiscious.

    Is there a way to open it without launching the execution to see what code it contains? Would someone here be able to judge from the code what it is meant to do?
    I checked the creation date in the properties of the file and it is 19 Jul 2004, quite recent, in fact so recent that it is after I got high jacked in the first place. Therefore, it probably comes from one of the on-line scans or one of the anti-spyware softwares I downloaded during my investigation of the problem.
    I am not yet decided to delete it but I am leaning on the yes side. I could always redownload any of the recent applications if anyone stop working properly. Still, it would be nice to know what application it is related to.
    Any way to tell?

    Monsieur42.
     
    monsieur42, Jul 22, 2004
    #16
  17. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    As I lay in bed last night, I remembered this usually comes in 2's meaning the files that need to be deleted per my instructions are setup1.exe and sxvhost.exe. He also had an executable called Zone something.exe I dont recall the exact name, but see if at the bottom of your list in windows\system32\ just in case.

    The one way to tell is to do a ctrl alt delete and see if setup1.exe is running. Odds are, it should not be, setup executables usually run once to do their job. If its running, kill it and see if your machine is ok. If I were a betting man, I would delete it.
     
    Major Attitude, Jul 22, 2004
    #17
  18. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    DavidGP, Jul 22, 2004
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It does not come from one of the online scanners. They only put activeX controls into the O16 section of the log. They do not put executable files on your system.

    Besides every search I do for the O2 BHO Shorty with the win32app.dll file have at least three things in common:

    - the R0 & R1 esearch lines
    - the O2 BHO Short line
    - the O16 line with setup1.exe

    Remove that line and delete the file.
     
    chaslang, Jul 22, 2004
    #19
  20. monsieur42

    monsieur42 Private E-2

    OK, I have been convinced. I got rid of the setup1.exe.
    The main argument for me was that the file was created very recently. This brings me to a suggestion that could be used by the developers of Hijack This to improve their already great tool: why not list in the scan data the date of creation of the files and keys. Obviously, when a highjack occurs, any file or registry change with a date coinciding with the highjack event becomes doubly suspect.

    Any way, thanks all again for your great help. I think this is case close for me... for this one.

    Monsieur42.
     
    monsieur42, Jul 23, 2004
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't think it would work. I know file creation dates & times can changed very easily. There are many programs written to do just that. I'm not positive whether the modification date & time can be manipulated but I would guess it can be. Thus, the writers of this malware can mess with our heads by playing with this info too. But they don't always think of doing that.
     
    chaslang, Jul 23, 2004
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds