Solved

Stubborn 680180

Posted on 2004-08-20
5
1,797 Views
Last Modified: 2013-12-04
680180 seems to be a popular topic. I also have it pop up like popcorn on a Saturday afternoon. I'm behind a router, and have Norton 2003 running on XP. I tried to kill all the references from the previous emails that looked like my machine. But 680180 seems to be hidden well. I tried Norton, AVG, Spybot, Adaware, and Cwshredder. There were 21 instances of about 4 viruses that Norton couldn't kill. I even tried all this in Safe mode and Bart's PE with Adaware. Here's the HJ-this log before and after:


Logfile of HijackThis v1.97.7
Scan saved at 7:05:56 PM, on 8/18/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hpdllhost.exe
C:\WINDOWS\uoqgveh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SysAI\SysAI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\tlmk3.MOHLER-0S0LUPIM\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\System32\icdd7ee6.dll (file missing)
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll (file missing)
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINDOWS\System32\he3e3fc4.dll (file missing)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {40883E03-C53E-02B8-8624-155504D77C32} - C:\WINDOWS\System32\bue.dll (file missing)
O2 - BHO: (no name) - {4B8E3953-963E-07ED-8624-155504D77B39} - C:\WINDOWS\System32\kvoncjy.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA1119EE-707F-4C4B-A866-184875BB48CA} - C:\WINDOWS\System32\dskfu.dll
O2 - BHO: (no name) - {B7FF382E-BC51-ADD4-BCE0-701158078D21} - C:\WINDOWS\System32\iwknipvl\qecdrhvq.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINDOWS\System32\readdb40.dll (file missing)
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [svfw32m] C:\WINDOWS\System32\svfw32m.ex
O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\System32\hpdllhost.exe
O4 - HKLM\..\Run: [58RG5X55KR3NE9] C:\WINDOWS\System32\Upwt.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\uoqgveh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=0c8af29cad1529a0c2f12262efe492244d317f6ab2c86bff7585b7e883263ddf35912dd813dee463c744961d2b31add589650eef4d876c0fc2a2f745d64562:c31e3730b38c174130e1e2729109a237
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab



Logfile of HijackThis v1.97.7
Scan saved at 9:52:18 PM, on 8/17/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hpdllhost.exe
C:\WINDOWS\uoqgveh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SysAI\SysAI.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\Iqmw.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Documents and Settings\tlmk3.MOHLER-0S0LUPIM\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\System32\icdd7ee6.dll (file missing)
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll (file missing)
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINDOWS\System32\he3e3fc4.dll (file missing)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {40883E03-C53E-02B8-8624-155504D77C32} - C:\WINDOWS\System32\bue.dll (file missing)
O2 - BHO: (no name) - {4B8E3953-963E-07ED-8624-155504D77B39} - C:\WINDOWS\System32\kvoncjy.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA1119EE-707F-4C4B-A866-184875BB48CA} - C:\WINDOWS\System32\dskfu.dll
O2 - BHO: (no name) - {B7FF382E-BC51-ADD4-BCE0-701158078D21} - C:\WINDOWS\System32\iwknipvl\qecdrhvq.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINDOWS\System32\readdb40.dll (file missing)
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [svfw32m] C:\WINDOWS\System32\svfw32m.ex
O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\System32\hpdllhost.exe
O4 - HKLM\..\Run: [58RG5X55KR3NE9] C:\WINDOWS\System32\Upwt.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\uoqgveh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=0c8af29cad1529a0c2f12262efe492244d317f6ab2c86bff7585b7e883263ddf35912dd813dee463c744961d2b31add589650eef4d876c0fc2a2f745d64562:c31e3730b38c174130e1e2729109a237
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

Anyone have any cures for a sick XP?
Tom
 
0
Comment
Question by:tlmk3
  • 3
5 Comments
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 500 total points
ID: 11855443
Hello tlmk3 =)

Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger
========================================================
then TURN OFF ur System Restore and fix the follwoing entries !!!!

========================================================
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\System32\icdd7ee6.dll (file missing)
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll (file missing)
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINDOWS\System32\he3e3fc4.dll (file missing)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {40883E03-C53E-02B8-8624-155504D77C32} - C:\WINDOWS\System32\bue.dll (file missing)
O2 - BHO: (no name) - {4B8E3953-963E-07ED-8624-155504D77B39} - C:\WINDOWS\System32\kvoncjy.dll (file missing)
O2 - BHO: (no name) - {AA1119EE-707F-4C4B-A866-184875BB48CA} - C:\WINDOWS\System32\dskfu.dll
O2 - BHO: (no name) - {B7FF382E-BC51-ADD4-BCE0-701158078D21} - C:\WINDOWS\System32\iwknipvl\qecdrhvq.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINDOWS\System32\readdb40.dll (file missing)
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll (file missing)
O4 - HKLM\..\Run: [svfw32m] C:\WINDOWS\System32\svfw32m.ex
O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\System32\hpdllhost.exe
O4 - HKLM\..\Run: [58RG5X55KR3NE9] C:\WINDOWS\System32\Upwt.exe
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\uoqgveh.exe
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
====================================================================

1. Restart ur machine
2. Boot into safemode and Login as Administrator
3. Run the AntiVirus tool and delete all viruses it found
4. Run the Spyware Removal tools and delete everything they detect
5. Then goto MyComputer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
7. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
8. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
9. Reboot back in Normal Mode and check if problems are gone
10. If YES then Great, otherwise Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
http://tools.radiosplace.com/HijackThis.exe


!! GOOD LUCK !!
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 11855535
Also Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 11859008
Hi!   tlmk3

First, there is an updated version of HijackThis out (version 1.98.2)
You should download it and run it.
Download from here:
http://www.subratam.org/?page=removal
Or:
http://www.zerosrealm.com/downloads/hjt.zip

Also, you should move HijackThis to a permanent folder of it's own - something like:
C:\Program Files\HJT\HijackThis.exe - whatever you like.
That way the backups that HJT makes, will all be in one place.

Before you attempt to fix anything -
You have a Peper Trojan on your system, and it's usually considered a good idea to remove it first.
Do the following to remove it:
Download Newuninst.exe - Download from:   http://downloads.subratam.org/Newuninst.exe
Run it and make sure you have an active internet connection.
Reboot and run the tool once again (again with an active internet connection).

Download PeperFix.exe - Download from:   http://downloads.sbratam.org/PeperFix.exe
Start it and click Find and Fix.
Reboot into "Safe" mode and run the tool a second time to make certain it's done its job.
Reboot into "Normal" mode when finished and post a new HijackThis log here (version 1.98.2 !?!)  :).

Good luck!
RF
0
 

Author Comment

by:tlmk3
ID: 11916753
I think that just running hijack this did most of the work. But I followed your suggestions
and it hasn't reappeared. It looks like you have the points. I tried your suggestions first and never
got around to Rossfingal's suggestions (I do appreciate his contribution) but yours was the one
I used. Thank you.
tlmk3
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11916812
glad u got it solved..... Cheers ^_^
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now