Solved

Stubborn 680180

Posted on 2004-08-20
5
1,802 Views
Last Modified: 2013-12-04
680180 seems to be a popular topic. I also have it pop up like popcorn on a Saturday afternoon. I'm behind a router, and have Norton 2003 running on XP. I tried to kill all the references from the previous emails that looked like my machine. But 680180 seems to be hidden well. I tried Norton, AVG, Spybot, Adaware, and Cwshredder. There were 21 instances of about 4 viruses that Norton couldn't kill. I even tried all this in Safe mode and Bart's PE with Adaware. Here's the HJ-this log before and after:


Logfile of HijackThis v1.97.7
Scan saved at 7:05:56 PM, on 8/18/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hpdllhost.exe
C:\WINDOWS\uoqgveh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SysAI\SysAI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\tlmk3.MOHLER-0S0LUPIM\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\System32\icdd7ee6.dll (file missing)
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll (file missing)
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINDOWS\System32\he3e3fc4.dll (file missing)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {40883E03-C53E-02B8-8624-155504D77C32} - C:\WINDOWS\System32\bue.dll (file missing)
O2 - BHO: (no name) - {4B8E3953-963E-07ED-8624-155504D77B39} - C:\WINDOWS\System32\kvoncjy.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA1119EE-707F-4C4B-A866-184875BB48CA} - C:\WINDOWS\System32\dskfu.dll
O2 - BHO: (no name) - {B7FF382E-BC51-ADD4-BCE0-701158078D21} - C:\WINDOWS\System32\iwknipvl\qecdrhvq.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINDOWS\System32\readdb40.dll (file missing)
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [svfw32m] C:\WINDOWS\System32\svfw32m.ex
O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\System32\hpdllhost.exe
O4 - HKLM\..\Run: [58RG5X55KR3NE9] C:\WINDOWS\System32\Upwt.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\uoqgveh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=0c8af29cad1529a0c2f12262efe492244d317f6ab2c86bff7585b7e883263ddf35912dd813dee463c744961d2b31add589650eef4d876c0fc2a2f745d64562:c31e3730b38c174130e1e2729109a237
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab



Logfile of HijackThis v1.97.7
Scan saved at 9:52:18 PM, on 8/17/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hpdllhost.exe
C:\WINDOWS\uoqgveh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SysAI\SysAI.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\Iqmw.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Documents and Settings\tlmk3.MOHLER-0S0LUPIM\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\System32\icdd7ee6.dll (file missing)
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll (file missing)
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINDOWS\System32\he3e3fc4.dll (file missing)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {40883E03-C53E-02B8-8624-155504D77C32} - C:\WINDOWS\System32\bue.dll (file missing)
O2 - BHO: (no name) - {4B8E3953-963E-07ED-8624-155504D77B39} - C:\WINDOWS\System32\kvoncjy.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA1119EE-707F-4C4B-A866-184875BB48CA} - C:\WINDOWS\System32\dskfu.dll
O2 - BHO: (no name) - {B7FF382E-BC51-ADD4-BCE0-701158078D21} - C:\WINDOWS\System32\iwknipvl\qecdrhvq.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINDOWS\System32\readdb40.dll (file missing)
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [svfw32m] C:\WINDOWS\System32\svfw32m.ex
O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\System32\hpdllhost.exe
O4 - HKLM\..\Run: [58RG5X55KR3NE9] C:\WINDOWS\System32\Upwt.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\uoqgveh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=0c8af29cad1529a0c2f12262efe492244d317f6ab2c86bff7585b7e883263ddf35912dd813dee463c744961d2b31add589650eef4d876c0fc2a2f745d64562:c31e3730b38c174130e1e2729109a237
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

Anyone have any cures for a sick XP?
Tom
 
0
Comment
Question by:tlmk3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 500 total points
ID: 11855443
Hello tlmk3 =)

Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================
then TURN OFF ur System Restore and fix the follwoing entries !!!!

========================================================
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\System32\icdd7ee6.dll (file missing)
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll (file missing)
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINDOWS\System32\he3e3fc4.dll (file missing)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {40883E03-C53E-02B8-8624-155504D77C32} - C:\WINDOWS\System32\bue.dll (file missing)
O2 - BHO: (no name) - {4B8E3953-963E-07ED-8624-155504D77B39} - C:\WINDOWS\System32\kvoncjy.dll (file missing)
O2 - BHO: (no name) - {AA1119EE-707F-4C4B-A866-184875BB48CA} - C:\WINDOWS\System32\dskfu.dll
O2 - BHO: (no name) - {B7FF382E-BC51-ADD4-BCE0-701158078D21} - C:\WINDOWS\System32\iwknipvl\qecdrhvq.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINDOWS\System32\readdb40.dll (file missing)
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll (file missing)
O4 - HKLM\..\Run: [svfw32m] C:\WINDOWS\System32\svfw32m.ex
O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\System32\hpdllhost.exe
O4 - HKLM\..\Run: [58RG5X55KR3NE9] C:\WINDOWS\System32\Upwt.exe
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\uoqgveh.exe
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
====================================================================

1. Restart ur machine
2. Boot into safemode and Login as Administrator
3. Run the AntiVirus tool and delete all viruses it found
4. Run the Spyware Removal tools and delete everything they detect
5. Then goto MyComputer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
7. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
8. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
9. Reboot back in Normal Mode and check if problems are gone
10. If YES then Great, otherwise Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
http://tools.radiosplace.com/HijackThis.exe


!! GOOD LUCK !!
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 11855535
Also Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 11859008
Hi!   tlmk3

First, there is an updated version of HijackThis out (version 1.98.2)
You should download it and run it.
Download from here:
http://www.subratam.org/?page=removal
Or:
http://www.zerosrealm.com/downloads/hjt.zip

Also, you should move HijackThis to a permanent folder of it's own - something like:
C:\Program Files\HJT\HijackThis.exe - whatever you like.
That way the backups that HJT makes, will all be in one place.

Before you attempt to fix anything -
You have a Peper Trojan on your system, and it's usually considered a good idea to remove it first.
Do the following to remove it:
Download Newuninst.exe - Download from:   http://downloads.subratam.org/Newuninst.exe 
Run it and make sure you have an active internet connection.
Reboot and run the tool once again (again with an active internet connection).

Download PeperFix.exe - Download from:   http://downloads.sbratam.org/PeperFix.exe 
Start it and click Find and Fix.
Reboot into "Safe" mode and run the tool a second time to make certain it's done its job.
Reboot into "Normal" mode when finished and post a new HijackThis log here (version 1.98.2 !?!)  :).

Good luck!
RF
0
 

Author Comment

by:tlmk3
ID: 11916753
I think that just running hijack this did most of the work. But I followed your suggestions
and it hasn't reappeared. It looks like you have the points. I tried your suggestions first and never
got around to Rossfingal's suggestions (I do appreciate his contribution) but yours was the one
I used. Thank you.
tlmk3
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11916812
glad u got it solved..... Cheers ^_^
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 10 4 106
antivirus on mac 8 84
Design of sending events/logs to SIEM/Arcsight 2 485
PCI scan - CIFS NULL Session Permitted 10 230
In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question