gallilleo Posted January 17, 2005 Report Share Posted January 17, 2005 Hi there, hope someone can help because I'm at a total loss.I know I have some malware/spyware on my PC, Adaware and Spybot remove mountains of the stuff, but the problem is that on re-booting it's all back again (bargain buddy and DSO exploit are a couple that spybot picks up again after each re-boot). Couple of interesting points, my windows firewall is down and I just can't get it back up again (possibly unrelated), and each time I reboot, the mouse pointer jumps to the recycle bin icon on the desktop and opens the contents window.I have just run hijack this BEFORE (again) trying to remove anything with adaware and spybot. This is the logfile.Many thanks for any help.Keith.Logfile of HijackThis v1.99.0Scan saved at 21:35:30, on 17/01/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\userinit.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Microsoft Office\Office\OSA.EXEC:\WINDOWS\system32\devldr32.exeC:\Program Files\WinRAR\WinRAR.exeC:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\Rar$EX00.015\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intheteam.com/lumleyladiesfcR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonderR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [Workflow] E:\Workflow.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeO4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exeO4 - HKLM\..\Run: [GScBo6] C:\WINDOWS\lexvtnf.exeO4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInitO4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cabO16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cabO23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: Windows Firewall/Internet Connection Sharing (ICS) - Unknown - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe Link to post Share on other sites
Besttechie Posted January 17, 2005 Report Share Posted January 17, 2005 Hi and Welcome,You might want to print this out so you can follow the directions better. First off, you don't have HJT in a Permanent folder. Click My Computer, then C:\ In the menu bar, File->New->Folder. That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it. This will allow backups to be made and saved By hijackthis in case something goes wrong Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.Next, close all windows except HijackThis.R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intheteam.com/lumleyladiesfcDid you set: http://www.intheteam.com/lumleyladiesfc <--- as your homepage? If not have HijackThis fix it. Still in HijackThis have it fix these.O4 - HKLM\..\Run: [GScBo6] C:\WINDOWS\lexvtnf.exe.......O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exeThen make sure you unhide all hidden files and folders.How to unhide hidden files and foldersThen reboot into Safe Mode (How to boot into Safe Mode)From Safe Mode delete the following files and/or folders in red.C:\WINDOWS\lexvtnf.exe C:\WINDOWS\zeta.exeReboot into normal mode and post a new log. Good luck! B Link to post Share on other sites
gallilleo Posted January 17, 2005 Author Report Share Posted January 17, 2005 Hi BT, done all that you asked, Lumley Ladies FC is a legit website by the way...New log.........Logfile of HijackThis v1.99.0Scan saved at 23:20:48, on 17/01/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Microsoft Office\Office\OSA.EXEC:\WINDOWS\system32\devldr32.exeC:\Program Files\BullsEye Network\bin\bargains.exeC:\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intheteam.com/lumleyladiesfcR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonderR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [Workflow] E:\Workflow.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeO4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exeO4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInitO4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cabO16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cabO23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: Windows Firewall/Internet Connection Sharing (ICS) - Unknown - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)Could the last 023 entry be why my firewall wont start?Many thanks.Keith. Link to post Share on other sites
Besttechie Posted January 18, 2005 Report Share Posted January 18, 2005 Lets try this...1) Click on Start, Settings, Control Panel2) Choose Add/Remove Programs3) Select the Bullseye Network and click Add/Remove. During the uninstall you are required to fill out a survey asking why you uninstalled the product also be careful in answering the Yes/No questions during the uninstall since they are worded in such a way as to make you keep the product.Then go to this path and delete the rest if still there. Delete the red part (if still there if not don't worry about it).C:\Program Files\BullsEye Network\bin\bargains.exeNext, open HijackThis and close all windows and delete the following.O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dllReboot post a new log. Good luck! B Link to post Share on other sites
gallilleo Posted January 18, 2005 Author Report Share Posted January 18, 2005 Hi BT, thanks for your help here.I'd sussed the bullseye network last night and successfully uninstalled. Just had hijack this fix what you asked for and re-booted. New log appended.Adaware now finds nothing, but Spybot still reports the DSO exploit, which I'm sure I can fix after doing a google search.I'm a little concerned about the admanager and workflow entries on the log, what do you think? and I still can't get my windows firewall running. On trying to start the firewall I get the message "windows firewall settings cannot be displayed because the associated service is not running, do you want to start the windows firewall/internet connection sharing (ICS) service?" on clicking yes I'm told that widows cannot start the ICS service. Any ideas? I'm still not happy about the last line of the log, even though HJT reports that svchost is active.Many thanks once again.Keith.Logfile of HijackThis v1.99.0Scan saved at 17:33:59, on 18/01/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Microsoft Office\Office\OSA.EXEC:\WINDOWS\system32\devldr32.exeC:\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intheteam.com/lumleyladiesfcR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonderR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [Workflow] E:\Workflow.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeO4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exeO4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInitO4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cabO16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cabO23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: Windows Firewall/Internet Connection Sharing (ICS) - Unknown - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing) Link to post Share on other sites
Besttechie Posted January 18, 2005 Report Share Posted January 18, 2005 Hi,Ok, as for workflow.exe it is legit, it's not spyware. More info here...http://www.liutilities.com/products/wintas...brary/workflow/Next, open HijackThis and have it fix the following...O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exeThen reboot into Safe Mode once more, and delete the following files and/or folder in red.How to boot into Safe ModeC:\Program Files\Admanager Controller\AdManCtl.exeThen reboot into normal mode and post a new logfile.Now, as for your firewall not working, I believe that has to do with this line.O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) - Unknown - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)DON'T fix that line. It's not bad.What I would try is this:StartRuntype: sfc /scannowEnterLet it run, and follow what it tells you. Note: you will need a Windows CD to have it replace that missing file.Hope that helpsGood Luck! B Link to post Share on other sites
gallilleo Posted January 18, 2005 Author Report Share Posted January 18, 2005 Many thanks BT, did as you asked, ended up doing a windows overwrite (upgrade), probably not what you meant, just me missing something but the end result is that I now have a firewall again and a clean computer.Many thanks once again for your time and expertise.Thank goodness for people like you.All the best.Keith. Link to post Share on other sites
Besttechie Posted January 19, 2005 Report Share Posted January 19, 2005 No Problem. Glad you got everything fixed. Also, be sure you check this out.How did I get infected in the first place?B Link to post Share on other sites
Recommended Posts