Solved

Possible BKDR Sandbox.A Infection Please help with Hijack this log.

Posted on 2004-04-13
13
5,187 Views
Last Modified: 2010-04-11
Hello, I am trying to fix a friends laptop. He has updated NAV and run a full scan and it finds no infection, yet his CPU
is running constantly at 100% The .exe files that are taking all the resourses change constantly. xit95.exe, hiq2.exe,
GcgOLIcr.exe etc etc. I have a feeling this could be  the BKDR Sandbox.A infection. Below is a log from Hijack this, can you please let me kinow which files to delete (or any other ideas what this could be)
Cheers

Logfile of HijackThis v1.97.7
Scan saved at 19:48:53, on 13/04/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\docume~1\sambut~1\locals~1\temp\KNv3b.exe
C:\docume~1\sambut~1\locals~1\temp\pTYGq.exe
C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\uptodate.exe
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\Program Files\Save\Save.exe
C:\Program Files\WhenUSearch\Search.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\ClockSync\Sync.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\inmsdw.exe
C:\WINDOWS\System32\Hiq2.exe
C:\WINDOWS\System32\Ebq69jNP.exe
C:\Program Files\SysAI\SysAI.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\SAM BUTLER\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium.com/metasearch.php?dst=DIST1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rleague.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dial.blueyonder.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch13218.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [5I2qWA.exe] C:\docume~1\sambut~1\locals~1\temp\5I2qWA.exe
O4 - HKLM\..\Run: [KNv3b.exe] C:\docume~1\sambut~1\locals~1\temp\KNv3b.exe
O4 - HKLM\..\Run: [pTYGq.exe] C:\docume~1\sambut~1\locals~1\temp\pTYGq.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\VchsZQoq.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\Program Files\WhenUSearch\Search.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [inmsdw] C:\WINDOWS\System32\inmsdw.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/
O16 - DPF: {8699D723-6DC6-47D3-B55C-489BA006B917} (WebInstall) - http://dot-sandy18.cc-827043.namezero.com/nl/webinstall.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37873.493275463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
0
Comment
Question by:eyequit
  • 6
  • 5
  • 2
13 Comments
 
LVL 5

Expert Comment

by:Luniz2k1
ID: 10816836
Start, run, taskmgr, and kill all of those process' that are using up all of the cpu.  Then run regedit, browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and remove any suspicious entries (anything in this section runs when windows starts).  Then reboot the pc.  When it comes back up, you can then continue with cleaning it out.  Do a full custom scan with NAV and have it scan all drives and all files, even ones in compressed files.  I would recommend using Ad-Aware to clean out any spyware.
0
 

Author Comment

by:eyequit
ID: 10816950
Hi, I forgot to add that I have already run ad-aware and quarenteened 246 files. Also I just got rid of some kind of search bar that was sitting just above the task bar. That seems to have got rid of the problem of the CPU running at 100%. Still the computer is attempting to dial up as soon as it turns on
0
 
LVL 5

Expert Comment

by:Luniz2k1
ID: 10817022
Heh, 1st time that you mentioned it trying to dial-up to the inet :p
0
 

Author Comment

by:eyequit
ID: 10817175
sorry, i just woke up and wasn't thinking straight. It doesn't try to dial up every time either! Just most times.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10821482
Hi!

Download and run CWShredder (from the same person who gave us Hijack This), make sure it's the latest version - 1.56.1,
I think.
Also, when you ran Adaware, is it the latest update - 01R287 11.04.2004?
Don't know where to start - you've got browser hijackers, executables running from a temp folder, at least one dialer, etc..
I'll list things you should get rid of (not knowing exactly what you have installed on your computer), this is only advice - back up!
That was a disclaimer!
The following are usually, web page hijackers/adware/spyware:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium.com/metasearch.php?dst=DIST1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rleague.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dial.blueyonder.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch13218.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL

Programs running from a temp file: (Huh?)
O4 - HKLM\..\Run: [5I2qWA.exe] C:\docume~1\sambut~1\locals~1\temp\5I2qWA.exe
O4 - HKLM\..\Run: [KNv3b.exe] C:\docume~1\sambut~1\locals~1\temp\KNv3b.exe
O4 - HKLM\..\Run: [pTYGq.exe] C:\docume~1\sambut~1\locals~1\temp\pTYGq.exe

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

The next one looks like a {morze1} variant:
O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\VchsZQoq.exe

More adware/spyware garbage:
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\Program Files\WhenUSearch\Search.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

dial.blueyonder - a dialer, maybe?!?
O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/
O16 - DPF: {8699D723-6DC6-47D3-B55C-489BA006B917} (WebInstall) - http://dot-sandy18.cc-827043.namezero.com/nl/webinstall.cab

You said you got rid of something - maybe post another Hijack This log.

Good luck!
(By the way, the things listed above are obvious - don'T really like T-shooting this stuff over the internet)
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10821532
Some entries I forgot in previous post:

C:\WINDOWS\uptodate.exe
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\Program Files\Save\Save.exe
C:\Program Files\WhenUSearch\Search.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe

C:\docume~1\sambut~1\locals~1\temp\KNv3b.exe
C:\docume~1\sambut~1\locals~1\temp\pTYGq.exe
C:\Program Files\ClearSearch\Loader.

Thought I might add that you probably have a {Cool Web Search} variant - that's why you should run CWShredder.

As always - good luck!
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:eyequit
ID: 10821924
Thanks for your help!

I've got rid of a lot of things so far using Ad-aware and Housecall, turned out there were four different viruses on the machine! (The list I posted was before running ad-aware)

I think blueyonder might have been my friends isp in the uk, but I'm not sure of that...

Now i have the problem of internet explorer running incredibly slooooooooowwwwwly (and badly!)

also things like the my documents folder wont open from the start menu.....or when it does its taking 30 seconds!

I'm not sure if this is something I've done or damage from the viruses

but I think Ive got rid of them all at least

Do you think it would be a good idea to try and repair the install from the original XP disc?
At the moment I'm thinking the best idea is to save what I can and do a full XP reinstall

Anyway, heres the latest Hijack this log.....

Logfile of HijackThis v1.97.7
Scan saved at 22:02:03, on 14/04/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\docume~1\sambut~1\locals~1\temp\5I2qWA.exe
C:\docume~1\sambut~1\locals~1\temp\5I2qWA.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\SAM BUTLER\My Documents\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netguide.co.nz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netguide.co.nz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetGuide Magazine
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [5I2qWA.exe] C:\docume~1\sambut~1\locals~1\temp\5I2qWA.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [5I2qWA] C:\docume~1\sambut~1\locals~1\temp\5I2qWA.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.netguide.co.nz
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37873.493275463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I just noticed two .exe files still running from a temp file!!!! like you said huh???
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10822194
Hi!
Were you able to download and run CWShredder?
You should run that before Hijack This.
Start your computer in safe mode, probably hit F8 repeatedly at start up, run Hijack This.
Have it fix the things listed above.
I noticed that this from your first log:  O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/ - has changed to
this:  O14 - IERESET.INF: START_PAGE_URL=http://www.netguide.co.nz, is Netguide Magazine your start page?

You're still showing these; which are adware/spyware:
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

If this is your own computer and you haven't set policy restrictions, the next two are questionable:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


While in Safe Mode delete the strange executables from the temp(s) folder(s) - don't delete the "temp" folder!

Also, look in your Hosts file and see if there are any unusual entries. The first entry should be something like this:
127.0.0.1  localhost - you can open it with notepad

I'm not against doing a repair/reinstall (sometimes it amounts to "good house-keeping"); however, there are things
that can hide themselves in the Restore folder, so depending on how you do it they can come back.

Also, run msconfig.exe and see what's running at startup.

Good luck and Happy Hunting!
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10822204
Oh, and before you restart from Safe Mode, empty your recycle bin!
0
 

Author Comment

by:eyequit
ID: 10827066
Hi Ross,
I have run CWShredder, it found one thing in the registry that needed fixing. done.
re-ran Hijack this in safe mode and got rid of the two spyware dll file and the files from the temp folder.

I'm not sure about the policy restrictions, i can't imagine Sam wanting these (or knowing how to set them)

The hosts file only had the one entry: 127.0.0.1  localhost

And the netguide homepage was there because I installed an updated version of IE provided by netguide magazine.

Here is the list of whats running at startup:

Ati2mdxx
atiptaxx
Apoint
TPTray
(something with no name or command - looks suspicious to me, located in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run folder)
CePMTray
CeEKey
wkfud
WksSb
WkDetect
ezSP_Px
DragDrop
ccApp
ccRegVfy
REGSHAVE
Sync
Microsoft Works Calender Reminders
Microsoft Office
Exif Launcher

The last three are in the Common Startup Location
All the rest are in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run folder

Once again thanks for all your help!
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 350 total points
ID: 10828606
Hi!

Unless you have the option in Spybot Search and Destroy set to lock homepages, you should have Hijack This fix these two:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

It's also not a bad idea to set the Hosts file to read only.

Go to: Start>run. type msconfig.exe and look at what's in your starup list - if you see anything that looks suspicious, you
could try to disable it (might have to do this in Safe Mode)

Other than that it looks clean - make sure your friend knows to keep Adaware, CWShredder, Virus, etc. updated.

Good luck!
0
 

Author Comment

by:eyequit
ID: 10830154
I think thats just about sorted it, thanks so much for all your help ross!!!
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10835134
Hi!

Glad someone here could help!

Remember, keep everything up to date (Adaware just released another update today, the 15th)

Thanks and good luck!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now