The Boss is Down! Hijack needs review

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by KT99, Jul 22, 2004.

Thread Status:
Not open for further replies.
  1. KT99

    KT99 Private E-2

    Any help would be apreciated.


    Logfile of HijackThis v1.98.0
    Scan saved at 11:50:26 AM, on 7/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\tp4serv.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\WINDOWS\System32\RunDll32.exe
    C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\documents and settings\sforman.forman.000\local settings\temp\n9EA2A.exe
    C:\documents and settings\sforman.forman.000\local settings\temp\SCI5JKy7.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\WINDOWS\System32\dp-him.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\uptodate.exe
    C:\Program Files\Save\Save.exe
    C:\PROGRA~1\WHENUS~1\Search.exe
    C:\Program Files\SysAI\SysAI.exe
    C:\WINDOWS\System32\pow_mtf.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\CLOCKS~1\Sync.exe
    C:\WINDOWS\System32\sdfnf914.exe
    C:\PROGRA~1\ezula\mmod.exe
    C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Documents and Settings\sforman.FORMAN.000\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigbr.cc?u=1510 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigbr.cc?u=1510 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: FeaturedResultsBHO Class - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
    O2 - BHO: Search Toolbar BHO Object - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Message Queuing ] c:\windows\msmqs.exe /nodelay /fastlogon /synclinks
    O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [n9EA2A] C:\documents and settings\sforman.forman.000\local settings\temp\n9EA2A.exe
    O4 - HKLM\..\Run: [SCI5JKy7] C:\documents and settings\sforman.forman.000\local settings\temp\SCI5JKy7.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
    O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
    O4 - HKLM\..\Run: [436P3ml] pow_mtf.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [sysinfo] sysinfo.exe
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [L0pFRgJEQ] sdfnf914.exe
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://%62%69%67%62%72%2E%63%63?u=1510&error=
    O13 - WWW Prefix: http://%62%69%67%62%72%2E%63%63?u=1510&error=
    O13 - Home Prefix: http://%62%69%67%62%72%2E%63%63?u=1510&error=
    O13 - Mosaic Prefix: http://%62%69%67%62%72%2E%63%63?u=1510&error=
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = forman.local
    O17 - HKLM\Software\..\Telephony: DomainName = forman.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = forman.local
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
    KT99, Jul 22, 2004
    #1
  2. NeoNemesis

    NeoNemesis Moutharrhea

    NeoNemesis, Jul 22, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 22, 2004
    #3
  4. KT99

    KT99 Private E-2

    I have done all you have asked but not closer to a solution. Please see the log file listed below:

    Logfile of HijackThis v1.98.0
    Scan saved at 2:44:34 PM, on 7/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\tp4serv.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\WINDOWS\System32\RunDll32.exe
    C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\documents and settings\sforman.forman.000\local settings\temp\n9EA2A.exe
    C:\documents and settings\sforman.forman.000\local settings\temp\SCI5JKy7.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\WINDOWS\System32\dp-him.exe
    C:\PROGRA~1\WHENUS~1\Search.exe
    C:\WINDOWS\System32\pow_mtf.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\documents and settings\sforman.forman.000\local settings\temp\e5Cg.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\uptodate.exe
    C:\Program Files\Save\Save.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\sdfnf914.exe
    C:\PROGRA~1\ezula\mmod.exe
    C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\PROGRA~1\CLOCKS~1\Sync.exe
    C:\Documents and Settings\sforman.FORMAN.000\Desktop\hijackthis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigbr.cc?u=1510 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigbr.cc?u=1510 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Search Toolbar BHO Object - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Message Queuing ] c:\windows\msmqs.exe /nodelay /fastlogon /synclinks
    O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [n9EA2A] C:\documents and settings\sforman.forman.000\local settings\temp\n9EA2A.exe
    O4 - HKLM\..\Run: [SCI5JKy7] C:\documents and settings\sforman.forman.000\local settings\temp\SCI5JKy7.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
    O4 - HKLM\..\Run: [436P3ml] pow_mtf.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [e5Cg] C:\documents and settings\sforman.forman.000\local settings\temp\e5Cg.exe
    O4 - HKLM\..\Run: [3SAHCS#4MABT@T] C:\WINDOWS\System32\Fsm6BY.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [sysinfo] sysinfo.exe
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [L0pFRgJEQ] sdfnf914.exe
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://%62%69%67%62%72%2E%63%63?u=1510&error=
    O13 - WWW Prefix: http://%62%69%67%62%72%2E%63%63?u=1510&error=
    O13 - Home Prefix: http://%62%69%67%62%72%2E%63%63?u=1510&error=
    O13 - Mosaic Prefix: http://%62%69%67%62%72%2E%63%63?u=1510&error=
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = forman.local
    O17 - HKLM\Software\..\Telephony: DomainName = forman.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = forman.local
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
    KT99, Jul 22, 2004
    #4
  5. krazykrl

    krazykrl Sergeant Major

    Looks like the same exact log, did you run Spybot, Ad-aware? In Safe Mode?
     
    krazykrl, Jul 22, 2004
    #5
  6. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    No, you have not done as asked. It clearly asks you to close all open programs just for starters. Your wasting our time and yours. Please start a new thread when you follow at least those 4 steps in the tutorial and we can get hopefully be of help then.

    http://forums.majorgeeks.com/showthread.php?t=35407
     
    Major Attitude, Jul 22, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a load of problems. In there, I agree it does not look like you even ran the scans we recommended especially not in safe mode. But let's assume you did. First you should get rid of
    Spyware Begone. If installed, uninstall it. If it is only that freescan line in your log:
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
    Have HijackThis fix that line and delete the c:\freescan directory. Spyware Begone is a fake spyware removal tool listed in our sticky thread in this forum.

    Download and unzip about:Buster but do not run yet. Get it here: http://www.majorgeeks.com/download4289.html

    Please download and run SpySweeper (update it immediately). Clean what it finds. Get it here: http://www.majorgeeks.com/download3263.html

    Since there is so much garbage in your log let's take this slowly (a few things at a time)

    At a command prompt run the following command:

    regsvr32 /u msiefr40.dll

    Look in Control Panel, Add/Remove Programs for SaveNow, WhenUShop, WhenUSearch, WhenUSave, and New.Net (there could be other variations) and uninstall them.

    Bring up task manager (CTRL-ALT-DEL) and end these processes (if found)
    IEhost.exe
    dp-him.exe
    pow_mtf.exe
    n9EA2A.exe
    SCI5JKy7.exe



    Shut down all applications (especially Internet Explorer) and hav HijackThis fix these lines:
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigbr.cc?u=1510 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigbr.cc?u=1510 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
    O2 - BHO: FeaturedResultsBHO Class - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [436P3ml] pow_mtf.exe
    O4 - HKLM\..\Run: [n9EA2A] C:\documents and settings\sforman.forman.000\local settings\temp\n9EA2A.exe
    O4 - HKLM\..\Run: [SCI5JKy7] C:\documents and settings\sforman.forman.000\local settings\temp\SCI5JKy7.exe
    O13 - DefaultPrefix: http://%62%69%67%62%72%2E%63%63?u=1510&error=
    O13 - WWW Prefix: http://%62%69%67%62%72%2E%63%63?u=1510&error=
    O13 - Home Prefix: http://%62%69%67%62%72%2E%63%63?u=1510&error=
    O13 - Mosaic Prefix: http://%62%69%67%62%72%2E%63%63?u=1510&error=


    Reboot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    Enable viewing of hidden files: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Find these and delete them:
    C:\WINDOWS\System32\IEHost.exe
    C:\WINDOWS\System32\dp-him.exe
    pow_mtf.exe <---- this could be in C:\ or C:\Windows, or C:\Windows\System, or C:\windows\system32
    C:\documents and settings\sforman.forman.000\local settings\temp\n9EA2A.exe
    C:\documents and settings\sforman.forman.000\local settings\temp\SCI5JKy7.exe
    C:\WINDOWS\System32\msiefr40.dll

    Close all applications and run about:Buster and save log.

    Reboot normal and post about:Buster log and a new HijackThis log

    There's more but let's start with just that.
     
    Last edited: Jul 22, 2004
    chaslang, Jul 22, 2004
    #7
Thread Status:
Not open for further replies.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds