# Virus: backdoor.SdBot



## Firenze (May 10, 2003)

i have got a virus the name is backdoor.SdBot
Norton antivirus find it but i cant delete it or put it in quarantaine so norton said that my computer still is infected by the virus. it said that the file who is infected is system32.exe
Please somebody help me!
what can i do to get this virus away from my computer?

Regards
Firenze


----------



## TonyKlein (Aug 26, 2001)

Hi, and welcome to the board. 

Please do this:

Go to http://www.tomcoyote.org/hjt/, and download Hijack This.

Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless, so do NOT fix anything yet.
Someone here will be happy to help you interpret the results.

It will allow us to determine where this file starts up, which will in turn help us to delete it.


----------



## Stephdon (May 20, 2003)

I have this same virus in the same file...
Could you help me determine what needs to go if I post my results from the "hijack this" software here?

Thanks, 

Steph.


----------



## TonyKlein (Aug 26, 2001)

Absolutely!

That's why we frequently request people to show a HT log.
It's an invaluable troubleshooting tool.

Go right ahead, and post it. If you have any spyware or worse, it almost always stands out.


----------



## Etrigan_Ca (May 20, 2003)

Hey there.. I've got a problem with the same virus... heres my HT log..

Logfile of HijackThis v1.94.0
Scan saved at 4:50:47 AM, on 20/05/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.secretlair.com/bites/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.nationstates.net/cgi-bin/index.cgi/pin=66530950/logout=1ates.net"); (C:\Documents and Settings\Etrigan\Application Data\Mozilla\Profiles\default\0jounal2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Etrigan\Application Data\Mozilla\Profiles\default\0jounal2.slt\prefs.js)
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "D:\My Music\X Program - Winamp\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} (Web Browser Applet Control) - http://www.parachatfree.com/pchat/chatfree/classes
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd/downloads/iaieplay.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37586.645787037
O16 - DPF: {a2001dd0-c7bd-11d4-a3e1-00c04fa32518} - 
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Ctfmon.exe is the program I suspect, though Norton isn't even detecting any virii anymore.. when I reboot Norton is always disabled


----------



## TonyKlein (Aug 26, 2001)

No virus to be seen.

And read up on Ctfmon.exe here:

OFFXP: What Is CTFMON and What Does It Do? (Q282599)

You do want to check the following in Hijack This, and press "fix checked":

*O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - 
O16 - DPF: {a2001dd0-c7bd-11d4-a3e1-00c04fa32518} - *

Cheers,


----------



## Etrigan_Ca (May 20, 2003)

When Norton detected the virus on my system the first time it was in the Sys32 file in my Sys directory which is now gone...

Also when I boot up my system Norton is always disabled and I have to go in and manually enable it.. if I try to configure it to auto detect, etc.. the box to select that option is greyed out.. I've tried reinstalling Norton, still didn't help.


----------



## Etrigan_Ca (May 20, 2003)

Maybe some of this info might help?

http://forums.techguy.org/showthread.php?s=&postid=872078#post872078


----------



## TonyKlein (Aug 26, 2001)

Well, in either log there's no virus or trojan seen to be starting up or running.

I would discourage you from posting the same question at two different locations. It gets very confusing that way.

If you want a second opinion, run an online virus scan at Trend Micro HouseCall or Panda Active Scan

Afterwards do the following:

Shut down NAV, end task on all NAV files in the Ctrl-alt-delete window, and uninstall NAV once more.
Reboot when you're asked to.

Next, download and run Rnav.exe
It helps remove leftover NAV registry keys.

Now remove the NAV Program Files folder, if it's still there, and the VirusDefs folder in Program Files\Common Files\Symantec Shared.
Finally, copy the contents of your NAV CD-ROM to your drive, and install NAV in Safe Mode.

Good luck ,


----------



## IMM (Feb 1, 2002)

Just a comment - you seem to be running 2 different AV's at the same time (NAV and AVG). If they are both set to scan on access (realtime) - this will give headaches.


----------



## TonyKlein (Aug 26, 2001)

Excellent point! 

I totally overlooked that.


----------



## Stephdon (May 20, 2003)

You just don't know how much I appreciate this Tony!
I have tried everything that Norton told me to do and it just isn't solving this problem...

So, anyways, here is my log.......

Logfile of HijackThis v1.94.0
Scan saved at 7:54:29 AM, on 5/20/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=107312
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=107312
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=107312
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O1 - Hosts: 216.239.37.101 www.kazaagold.com
O1 - Hosts: 216.239.37.101 kazaagold.com
O1 - Hosts: 216.239.37.101 www.k-lite.com
O1 - Hosts: 216.239.37.101 www.kazaa-download.de
O1 - Hosts: 216.239.37.101 www.mp3downloadhq.com
O1 - Hosts: 216.239.37.101 www.easymusicdownload.com
O1 - Hosts: 216.239.37.101 easymusicdownload.com
O1 - Hosts: 216.239.37.101 www.mp3madeeasy.com
O1 - Hosts: 216.239.37.101 www.monstershare.com
O1 - Hosts: 216.239.37.101 www.kazaa-plus.net
O1 - Hosts: 216.239.37.101 kazaa-plus.net
O1 - Hosts: 216.239.37.101 www.kazaa-plus.com
O1 - Hosts: 216.239.37.101 www.edonkey.com
O1 - Hosts: 216.239.37.101 www.kazaa-file-sharing-downloads.com
O1 - Hosts: 216.239.37.101 www.kazaaplatinum.com
O1 - Hosts: 216.239.37.101 www.madeformusic.com
O1 - Hosts: 216.239.37.101 ikazaa.net
O1 - Hosts: 216.239.37.101 www.mp3u.com
O1 - Hosts: 216.239.37.101 www.mp3specialty.com
O1 - Hosts: 216.239.37.101 music-download-world.com
O1 - Hosts: 216.239.37.101 song-download-world.com
O1 - Hosts: 216.239.37.101 www.flixs.net
O1 - Hosts: 216.239.37.101 www.ishareit.net
O1 - Hosts: 216.239.37.101 www.ishareit.com
O1 - Hosts: 216.239.37.101 www.download-doctor.com
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.2.11.0\HbHostIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MediaLoads Installer] C:\Program Files\MSN\MSNCoreFiles\dw.exe /H
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/22b78f35f87eaf482a04/netzip/RdxIE601.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {73954DC6-A1B2-4157-966F-D9914A39F59C} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.deluxserials.com/mp3.exe
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37603.4634259259
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.blowsearch.com/TB/The_Ultimate_Browser_Enhancer.exe
O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/recipebuddie/websetup.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab


----------



## TonyKlein (Aug 26, 2001)

Well, you have a LOT of spyware.

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, shut down _all_ browser Windows, and have HT fix all checked.

You NEED to restart your computer when you're done.

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=107312
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=107312
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=107312

O1 - Hosts: 216.239.37.101 www.kazaagold.com
O1 - Hosts: 216.239.37.101 kazaagold.com
O1 - Hosts: 216.239.37.101 www.k-lite.com
O1 - Hosts: 216.239.37.101 www.kazaa-download.de
O1 - Hosts: 216.239.37.101 www.mp3downloadhq.com
O1 - Hosts: 216.239.37.101 www.easymusicdownload.com
O1 - Hosts: 216.239.37.101 easymusicdownload.com
O1 - Hosts: 216.239.37.101 www.mp3madeeasy.com
O1 - Hosts: 216.239.37.101 www.monstershare.com
O1 - Hosts: 216.239.37.101 www.kazaa-plus.net
O1 - Hosts: 216.239.37.101 kazaa-plus.net
O1 - Hosts: 216.239.37.101 www.kazaa-plus.com
O1 - Hosts: 216.239.37.101 www.edonkey.com
O1 - Hosts: 216.239.37.101 www.kazaa-file-sharing-downloads.com
O1 - Hosts: 216.239.37.101 www.kazaaplatinum.com
O1 - Hosts: 216.239.37.101 www.madeformusic.com
O1 - Hosts: 216.239.37.101 ikazaa.net
O1 - Hosts: 216.239.37.101 www.mp3u.com
O1 - Hosts: 216.239.37.101 www.mp3specialty.com
O1 - Hosts: 216.239.37.101 music-download-world.com
O1 - Hosts: 216.239.37.101 song-download-world.com
O1 - Hosts: 216.239.37.101 www.flixs.net
O1 - Hosts: 216.239.37.101 www.ishareit.net
O1 - Hosts: 216.239.37.101 www.ishareit.com
O1 - Hosts: 216.239.37.101 www.download-doctor.com
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch

O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL

O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.2.11.0\HbHostIE.dll

O4 - HKLM\..\Run: [MediaLoads Installer] C:\Program Files\MSN\MSNCoreFiles\dw.exe /H
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/22b78f35f87eaf...ip/RdxIE601.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.deluxserials.com/mp3.exe
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/mini...uginstaller.cab
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.blowsearch.com/TB/The_Ul...er_Enhancer.exe
O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http//hot.activebuddy.com/catalog/...ie/websetup.cab*

After rebooting, download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

Cheers,


----------



## Stephdon (May 20, 2003)

Hey there..thanks again for all your help...
I deleted all those entries and scanned with Spybot...there was one file that spyspot could not get rid of even after a restart..
it is entitled "NewNet"

Now will all this get rid of this virus or are there more steps I need to do now?

I am running my NAV right now to see if the virus is gone...

I'll let you know if it is still on here....

Thanks bunches!
Steph.


----------



## TonyKlein (Aug 26, 2001)

All this was spyware that needed to be removed, and doesn't have anything to do with your System32 trojan.

It's startup entry isn't there any more, so I would assume that it isn't active either, and therefore rendered harmless.

Do a Find Files for that system32.exe file. If you still have it, you should be able to delete it without a prob.


----------



## Stephdon (May 20, 2003)

I'm glad it isn't active anymore!
When I do a search, do I delete all files that say system32.exe?

As you can tell, I am not at all smart about this kind of thing...lol...

Thanks, 

Steph.


----------



## TonyKlein (Aug 26, 2001)

I doubt whether you'll find more than one, if that.

There's no legitimate Windows file called like that, so if a System32.exe comes up, feel free to delete it.


----------



## Stephdon (May 20, 2003)

Well, I found a couple files with the system32.exe..

I was able to delete one of them but I keep getting this error,

"Cannot delete file:Cannot read from the source file or disk",

when I try to delete the other...

Any ideas?


----------



## TonyKlein (Aug 26, 2001)

You are certain that the file name is system32.exe??

We're NOT talking about folders called System32, or files starting with "system32" but having an other extension.


----------



## Stephdon (May 20, 2003)

I think I figured out why I was getting that error.

I checked my Norton and it is stated that it found 1 virus and deleted it, it was the system32.exe...so I figured that is why I was getting that particular error, because Norton had already deleted it.

Could that be right?

Steph.


----------



## TonyKlein (Aug 26, 2001)

Yup, that sounds logical.

So it would appear you're all clean now!


----------



## Stephdon (May 20, 2003)

And I have you to Thank!

THANK YOU TONY!!!


----------



## TonyKlein (Aug 26, 2001)

You're welcome.

Happy surfing!


----------



## Toddy147 (Jun 12, 2003)

i also have this Trojan cant seem to get rid of it so i did a log also and here it is

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TrojanHunter 3.5\THGuard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ICQPlus\vplus.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ICQ\ICQ.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\AOL 8.0\waol.exe
C:\Program Files\AOL 8.0\shellmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Paltalk\pnetaware.exe
C:\Paltalk\palnet.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\RMUTCH~1\LOCALS~1\Temp\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\R Mutch\Start Menu\Programs\Startup]
PalNetaware.lnk = C:\Paltalk\pnetaware.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
ZoneAlarm Plus.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zaplus.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
IMONTRAY = C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
freesurfer = C:\Program Files\Free Surfer\fs20.exe
Mirabilis ICQ = C:\Program Files\ICQ\ICQNet.exe
AVG_CC = C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
ICQ Plus = "C:\Program Files\ICQPlus\vplus.exe"
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

ICQ = C:\Program Files\ICQ\ICQ.exe -trayboot

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\Webshots.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[symsupportutil]
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
OSD = C:\WINDOWS\Downloaded Program Files\OSD4A.OSD

[sys Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\PCPitStop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab

[AV Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PAV.dll
CODEBASE = http://www.pcpitstop.com/antivirus/PCPAV.CAB

[mhLabel Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\mhLbl.dll
CODEBASE = http://www.pcpitstop.com/mhLbl.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?1047388811107

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ie_grokster.dll
CODEBASE = http://www.grokster.com/rdx/RdxIE.cab

[{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}]

[{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}]

[{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}]

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{D9EC0A76-03BF-11D4-A509-0090270F86E3}]
CODEBASE = http://www.spywarelabs.com/1203030306/VBouncerOuter1203.EXE

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MSNChat45.ocx
CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll

--------------------------------------------------
End of report, 7,172 bytes
Report generated in 0.062 seconds


----------



## TonyKlein (Aug 26, 2001)

But that's a clean log. Why do you have the impression you have a trojan?

Does your antivirus tell you so, and if so, where does it say it is?


----------



## Toddy147 (Jun 12, 2003)

Well i have run all checks and cant find one but i did a trojan check on spygate and it gives me this message

Service Trojan 
port 5000
Status Open bubbel,backdoor setup, Socket de Troi
however If you think im clean im more than happy


----------



## TonyKlein (Aug 26, 2001)

It's just a port _used_ by such a trojan, and according to your trojan check it would be open.

I'd look for a second opinion. Run a few of the tests you'll find here: http://www.pcflank.com/test.htm


----------



## Toddy147 (Jun 12, 2003)

Ok thats great thanks 
I was just worried that It was still lingering
Thanks for your help you guys doa a great job


----------



## TonyKlein (Aug 26, 2001)

You're welcome!


----------



## heards (Jun 19, 2003)

Well it looks like I'm the next victim

Logfile of HijackThis v1.94.0
Scan saved at 12:59:16 PM, on 6/19/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~3\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~3\defalert.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe
O4 - HKLM\..\Run: [svshosts] svshosts.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [svshosts] svshosts.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Norton is saying backdoor.sdbot is in my svshost.exe. I found it this morning. luckly zonealarm notified me it was trying to connect to the net so I blocked it. I currently have 5 files that are qaurantined, 2 I had to manually pull since they were the svshost.exe. I dont know what to do, I'm afraid svshost is a real windows program. Can you help me??


----------



## heards (Jun 19, 2003)

Not sure if you need this one to but:
StartupList report, 6/19/2003, 1:27:47 PM
StartupList version: 1.52
Started from : C:\My Downloads\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svshosts.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\PROGRA~1\NORTON~1\NORTON~3\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\PROGRA~1\NORTON~1\NORTON~3\alertsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\NMAIN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\My Downloads\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\User\Start Menu\Programs\Startup]
iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
SoundMan = SOUNDMAN.EXE
ASUS Probe = C:\Program Files\ASUS\Probe\AsusProb.exe
NPS Event Checker = C:\PROGRA~1\NORTON~1\NORTON~3\npscheck.exe
NAV DefAlert = C:\PROGRA~1\NORTON~1\NORTON~3\defalert.exe
WinFaxAppPortStarter = wfxsnt40.exe
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
InCD = C:\Program Files\Ahead\InCD\InCD.exe
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
New.net Startup = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
svshosts = svshosts.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

SpyBotSnD = "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

svshosts = svshosts.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

myBar BHO - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\NewDotNet\newdotnet4_88.dll - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\User\LOCALS~1\Temp\UpdOnRbt.exe||C:\DOCUME~1\USER\LOCALS~1\TEMP\UPDATE.INI||C:\DOCUME~1\User\LOCALS~1\Temp\~ef7194.tmp||C:\DOCUME~1\User\LOCALS~1\Temp\~ef7194.tmp||C:\DOCUME~1\User\LOCALS~1\Temp\~ef7194.tmp

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,445 bytes
Report generated in 0.094 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Top Banana (Nov 11, 2002)

svshost.exe\svshosts.exe are not Windows files and need to be removed.

Scan with HijackThis, put a checkmark at and "Fix checked"

O4 - HKLM\..\Run: [svshosts] svshosts.exe
O4 - HKLM\..\RunServices: [svshosts] svshosts.exe

*Restart* your computer.

Delete

svshosts.exe

Also remove New.net from Add or Remove Programs.

Download Spybot S&D. Update SS&D via the "Online" tab. Search for and download all updates. Close Internet Explorer, hit "Check for problems". After scan hit "Fix selected problems".


----------



## heards (Jun 19, 2003)

Well Top Banana. Everything work, but when I woke up this morning found another message from norton. The virus was now in here C:\System Volume Information\_restore{C61b58BDC-3655-4854-87f0-7D367a97DBE4}\RP43\A0007166.exe

Yesterday I ran through your instructions, but didnt know that there was a back up of this thing in the highjackthis program. Could this be what norton was detecting?? I deleted the files, rescan with norton but it didnt find it. My computer is set up with 2 users do I need to clean both?? Sorry for all the questions. Here is another snapshot of Highjackthis

Logfile of HijackThis v1.94.0
Scan saved at 9:22:38 AM, on 6/20/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~3\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~3\defalert.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## fwilson (Jun 20, 2003)

This looks like a very useful forum! I too have got the backdoor.sdbot on my PC. I've followed the instructions and here's my HijackThis log. Any help would be very gratefully received! Thanks.

Logfile of HijackThis v1.94.0
Scan saved at 10:06:55, on 20/06/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by blueyonder
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WinMX] C:\Program Files\WinMX\WinMX.exe -m
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/plugins/en_US/DjVuControl.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.blueyonder.co.uk/html/software/instantsupport/tool/files/MotivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Top Banana (Nov 11, 2002)

heards

C:\System Volume Information\_restore{C61b58BDC-3655-4854-87f0-7D367a97DBE4}\RP43\A0007166.exe

This file is in your System Restore folder. Disable System Restore > Restart > Enable System Restore will purge this folder. Or XP will eventually do it.

Do you need to clean both? No.

Your log is fine.


----------



## Top Banana (Nov 11, 2002)

fwilson

Remove Save via Add or Remove Programs.

Scan with HijackThis, put a checkmark at and "Fix checked" the following entries.

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O4 - HKLM\..\RunServices: [CMD] cmd32.exe

Restart your computer and delete

System32.exe
cmd32.exe


----------



## heards (Jun 19, 2003)

I'm sorry not really sure how to do this. Can you tell me how to access the system restore folder or what program this is in. Someday I'll learn the ins and outs of my computer


----------



## Top Banana (Nov 11, 2002)

XP System Restore


----------



## fwilson (Jun 20, 2003)

Thanks for the reply Top Banana - 1 question before I can continue, you said: "Remove Save via Add or Remove Programs" what does 'Save' refer to? The saved Hijack This report? Or a program called 'Save'? The only thing that fits in the Add/Remove programs list is 'Save Now'?

Sorry if I'm being daft!


----------



## Top Banana (Nov 11, 2002)

Remove SaveNow via Add or Remove Programs.


----------



## krahsniy (Jun 23, 2003)

Thanks for the tip Top Banana on deleting the svshost.exe boxes on the hijackthis program.

I did some maintence on my system today and discovered that my firewall, although stating that was working, wasnt. So I downloaded ZoneAlarm and after it was installed my anti-virus program woke up and advised me that I had the backdoor.SdBot virus in my svshost.exe file. I spent about an hour on the net looking for a way to get rid of it when I read this forum. 5 mins and a reboot later and its gone.

Thanks again.


----------



## Top Banana (Nov 11, 2002)

:up:


----------



## fwilson (Jun 20, 2003)

Hi Top Banana,
Thanks for the instructions. Couldn't find cmd32.exe to delete, but deleted System32.exe. Ran NAV again and it still found Backdoor.Sdbot, this time in Dc5.exe. So here is my latest run through from HijackThis - are you able to help again...please?

Logfile of HijackThis v1.95.0
Scan saved at 12:40:24, on 25/06/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Kazaa\kazaa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Fiona Wilson\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by blueyonder
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WinMX] C:\Program Files\WinMX\WinMX.exe -m
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/plugins/en_US/DjVuControl.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.blueyonder.co.uk/html/software/instantsupport/tool/files/MotivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks for looking!


----------



## Top Banana (Nov 11, 2002)

Hi fwilson,
I cannot see it running. Your log is clean. Could you post the path so we could ascertain its' location?


----------



## Cyn25 (Jun 29, 2003)

*HI I ALSO HAVE THE BACKDOOR.SDBOT*...I can`t delete or quarantine "System32.exe" the virus is still in my computer!

PLEASE HELP ME! Here is my HIJACK THIS LOG:

Logfile of HijackThis v1.95.0
Scan saved at 06:41:41 a.m., on 29/06/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\System32.exe
C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\NMain.exe
C:\ARCHIV~1\NORTON~1\NORTON~1\navw32.exe
C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\QConsole.exe
C:\ARCHIV~1\NORTON~1\NORTON~1\navw32.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Documents and Settings\Cinthya Vargas\Escritorio\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http:///animeroyal.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O1 - Hosts: op.kazaa.com
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\archivos de programa\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [MMTray] C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Erotic (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product/camp/SpywareNuker_com/SpywareNukerInstaller.exe
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://09.sharedsource.org/cabs/buscacancioneses.cab
O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://usa-download.nocreditcard.net/download/Object/DialerHTML/DHTMLAccessXP1040.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

HEEEEEEEEEEEEEELP!!!!!!!!!!!!!!


----------



## Top Banana (Nov 11, 2002)

Scan with HijackThis, put a checkmark at and "Fix checked" the following entries. Close all windows except for HijackThis before fixing.

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O1 - Hosts: op.kazaa.com
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O9 - Extra button: Erotic (HKLM)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product...erInstaller.exe
O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://usa-download.nocreditcard.ne...ccessXP1040.cab

Restart your computer and delete

System32.exe
WinStart001.exe


----------



## Cyn25 (Jun 29, 2003)

Hi TOP BANANA, THANK'S A LOT! I'VE ALREADY REMOVED THE VIRUS!
ONLY ONE MORE QUESTION: WHAT WHERE THOSE ENTRIES Y JUST DELETED?
COULD YOU EXPLAIN ME PLEASE?


----------



## worried (Jun 5, 2003)

are you out there? I have a question for you...

If you have you computer disconnected from everything (printer...internet...etc) should your computer have any open ports and if so...which ones?

worried


----------



## mskup (Jul 3, 2003)

I am new at this , so forgive my mistakes . I did this hijack thing for the sdbot troj and here are my log file . I use sophos antivirus , but the cannot delete the file . So please help !!!

Logfile of HijackThis v1.95.0
Scan saved at 1:56:55 PM, on 7/3/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINNT\System32\WFXSVC.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\symantec\winfax\WFXMOD32.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\System32\Explorer_.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos SWEEP for NT\WSWEEPNT.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.haaretzdaily.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=proxy.pandora.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Windows Explorer] Explorer_.exe
O4 - HKLM\..\RunServices: [Windows Explorer] Explorer_.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37796.9892824074
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Top Banana (Nov 11, 2002)

Scan with HijackThis, put a checkmark at and "Fix checked"

O4 - HKLM\..\Run: [Windows Explorer] Explorer_.exe
O4 - HKLM\..\RunServices: [Windows Explorer] Explorer_.exe

Restart your computer and run a virus scan.


----------



## mskup (Jul 3, 2003)

Thanks a million . 
How can you avoid to get this type of trojan back into yr system ?/:up:


----------



## worried (Jun 5, 2003)

Yes,
That certainly would be the question of the day...wouldn't it?


----------



## JakeKool (May 23, 2003)

Dont download ANY of these of Kazaa ever again

.VBS
.EXE
.PIF
.SCR
.BAT
.COM
I guess .SHS too 

Thats it, you'll be fine


----------



## fwilson (Jun 20, 2003)

Dear Top Banana,
Sorry for the delay in replying, I have rescanned with NAV and it's not finding any infection so I think you've done it! Thanks for your help. 

Just one other query: every time I switch my computer on, NAV Auto-protect is always switched off. I keep re-enabling it, but it doesn't seem to stay on once I switch the machine off. Is there a way to fix this? The email scanning bit is always on though fortunately!

Thanks again for your previous help.


----------



## Top Banana (Nov 11, 2002)

Hi fwilson,
Glad to hear your computer is clean. I can't be of any help I'm afraid as I don't use NAV.


----------



## YiPPee (Jul 4, 2003)

Hi....there!

I have the same virus also called backdoor.sdbot. Tried to deleted but I can't. So I download the hijack n gotta unzipped. And, its show me all my HT, then, I got stucked from there. No clue which one should I check n fix. Could anyone please help how can I get the virus out...Tks!!!

Here its my HT....Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\System32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
C:\Program Files\DownloadWare\dw.exe
C:\PROGRA~1\Save\Save.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Norton Internet Security Professional\SymPxSvc.exe
C:\Program Files\Norton Internet Security Professional\NISSERV.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\Documents and Settings\Kathy\Application Data\Mozilla\Profiles\default\tl0lbl4f.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Kathy\Application Data\Mozilla\Profiles\default\tl0lbl4f.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\AiO\HPis\bin\matcli.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {1D2DCA0D-B30F-40AD-9690-087105F214EC} (IEDial Class) - http://usa-download.nocreditcard.com/download/Object/DialerHTML/ieaccess3XP.cab
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.terra.es/personal5/ultrasky/megans_cam/2804.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37633.2566550926
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B843DA96-2B2D-447E-90AB-B92929AA11AF} (HTMLDialer Class) - http://usa-download.nocreditcard.com/download/Object/DialerHTML/EGHTMLDialerXP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## fwilson (Jun 20, 2003)

Hi Top Banana,
No problem, thanks for all your help. Hope not to be back here too soon, but know where to come next time I've got a problem!


----------



## TheDust (Jul 5, 2003)

Same virus please help me my log file of the hijackthis program is below, i had the virus in the system32.exe fileand norton antivirus deletes the file but i think i will need that registry file so what can i do and i also cannot hear anything from my speakers and i think this is because of the virus because everything is installed correctly and no problems occur when i follow the troubleshooting steps please help me

Logfile of HijackThis v1.95.0
Scan saved at 6:41:38 PM, on 7/5/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\SuperBar\sbhc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\The Dust\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\Program Files\SuperBar\SuperBar.Dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: SuperBar - {6DD47305-A5B5-47D3-9DD9-088F3A608A16} - C:\Program Files\SuperBar\SuperBar.Dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37805.3709490741


----------



## Quirijn (Jul 6, 2003)

Tony can you help me out as well. I also have a problem with the backdoor trojan. I allready used Hijack this, so maybe you can tell me what to do.

Thanx

Logfile of HijackThis v1.95.0
Scan saved at 18:07:31, on 6-7-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\System32.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Q.E.V. Ruitenberg\Local Settings\Temp\Tijdelijke map 1 voor hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/sikes/nl/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

thanx


----------



## JakeKool (May 23, 2003)

Ouch lotta people have SDBot.. another OPEN SOURCE one, so there are thousands of variants with new ones being made all day 

http://tds.diamondcs.com.au however TDS-3 should detect this one in a memory scan.


----------



## aRcHd3viL (Jul 12, 2003)

hi can any1 help me? NAV detected backdoor.sdbot
below is my log file
thx

Logfile of HijackThis v1.95.0
Scan saved at 1:06:20 AM, on 7/13/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\srvany.exe
C:\WINNT\System32\svchost.exe
C:\winnt\system32\Shared\dllhost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\srvany.exe
C:\winnt\system32\drivers\scvhost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\srvany.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\winnt\system32\hidden32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\TrayIcon.exe
C:\WINNT\SYSTEM32\starter.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\System32\internat.exe
C:\WINNT\system32\klm\ws32kza.exe
C:\Program Files\ICQPlus\vplus.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\YiMinG\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://sg.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINNT\System32\TrayIcon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [kza] C:\WINNT\system32\klm\ws32kza.exe
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\vplus.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003011601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37659.256099537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (YBIOCtrl Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4_0_2_10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10E82EDB-4211-4DDD-932D-DEF906A9D6AD}: Domain = scv


----------



## mskup (Jul 3, 2003)

I too have for the second time the famous sdbot and seem not to be able to erase it . Here is my file :
Logfile of HijackThis v1.95.0
Scan saved at 12:37:50 AM, on 7/13/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\WINNT\System32\Explorer_.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\WINLOGON_.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINNT\System32\WFXSVC.EXE
C:\symantec\winfax\WFXMOD32.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\OMGSYS.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.haaretzdaily.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=proxy.pandora.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
O4 - HKLM\..\Run: [W1N32.DLL] C:\WINNT\WINLOGON_.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O9 - Extra button: ATI TV (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003070401/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37796.9892824074
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Please help !!!!


----------



## topdawg712 (Jul 13, 2003)

I just found this forum, so here's my log:

Logfile of HijackThis v1.95.0
Scan saved at 3:26:56 AM, on 7/13/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PestPatrol\PPMemCheck.exe
C:\PROGRA~1\Save\Save.exe
C:\Program Files\SuperBar\sbhc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\RSNet\RSEDNClient.exe
C:\Program Files\Date Manager\DateManager.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Go!Zilla\gozilla.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Erik\Local Settings\Temp\Temporary Directory 1 for hijackthis195.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.pcclub.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://search.ieplugin.com/q.cgi?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\Program Files\SuperBar\SuperBar.Dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Go!Zilla\GoIEHlp.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O3 - Toolbar: SuperBar - {8C14689B-F5C2-4EBE-B5F7-2DD5F5E005FE} - C:\Program Files\SuperBar\SuperBar.Dll
O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.pcclub.com
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product/camp/SpywareNuker_com/SpywareNukerInstaller.exe
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50015/btiein.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://wwb.ieplugin.com/adcampaigns/webplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/061daa9d6cfb61032d00/netzip/RdxIE601.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37642.6431944444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://www.spywarelabs.com/1203030306/VBouncerOuter1203.EXE
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.com/Installer/rsinstaller.cab


----------



## tjarrow (Jul 20, 2003)

I also have for the dreaded sdbot Virus and seem not to be able to erase it . Pleases Help. Here is my file :

Logfile of HijackThis v1.95.1
Scan saved at 8:50:36 PM, on 7/19/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\E_S00RP1.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgentNT.exe
C:\Program Files\Common Files\EPSON\EBAPI\EBRR.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\NETD16.EXE
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\Date Manager\DateManager.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\Program Files\1stQRes\1stqres.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Documents and Settings\Tom\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://approvedlinks.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://approvedlinks.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://approvedlinks.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://approvedlinks.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: 1st QuickRes.lnk = C:\Program Files\1stQRes\1stqres.exe
O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\PhotoPC 550\Image Expert\IXApplet.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV03.EXE
O4 - Global Startup: file.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: worldchat.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/930260cd062fd5/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\SuperCD\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2C0BBC3-82F3-4EAA-A625-42893BCAC3F6}: NameServer = 207.44.96.129 204.186.0.202


----------



## dohoanmy (Jul 18, 2003)

to ArcHd3Vil :

fix this :

O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Never seen this before :
O4 - HKCU\..\Run: [kza] C:\WINNT\system32\klm\ws32kza.exe


----------



## dohoanmy (Jul 18, 2003)

To mskup :
fix this

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.haaretzdaily.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=proxy.pandora.be:8080
O4 - HKLM\..\Run: [W1N32.DLL] C:\WINNT\WINLOGON_.exe


----------



## dohoanmy (Jul 18, 2003)

fix these with HThis

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.pcclub.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://search.ieplugin.com/q.cgi?q=%s
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\Program Files\SuperBar\SuperBar.Dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Go!Zilla\GoIEHlp.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O3 - Toolbar: SuperBar - {8C14689B-F5C2-4EBE-B5F7-2DD5F5E005FE} - C:\Program Files\SuperBar\SuperBar.Dll
O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product...erInstaller.exe
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50015/btiein.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://www.spywarelabs.com/12030303...erOuter1203.EXE
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.com/Installer/rsinstaller.cab

use Spybot S&D at security.kolla.de to get rid of these :
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net


----------



## dohoanmy (Jul 18, 2003)

sorry , i forgot one thing that the previous message is about the log of topdawg712 , good luck


----------



## dohoanmy (Jul 18, 2003)

and To tjarrow :

use HT to fix these , you should also visit security.kolla.de to download Spybot S&D and run it .

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://approvedlinks.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://approvedlinks.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://approvedlinks.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://approvedlinks.com/
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: worldchat.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/...sCamControl.ocx


----------



## JakeKool (May 23, 2003)

O1 - Hosts: 203.161.127.141 www.dcsresearch.com

is a good hosts entry for TDS-3 forum

TDS-3 detects these SDBots in memory, make sure you have updated databases and just run a Process Memory Scan (you could always submit the file for analysis)


----------



## Veledan (Jul 24, 2003)

Hey everyone, i'm new to the boards and i've read up quite a bit on this virus, i've tried what you all have said to help the others, but the damn thing continues to bug the crud outa me, heres my log for Hijackthis!

Logfile of HijackThis v1.95.1
Scan saved at 5:43:02 PM, on 7/23/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dante Sparda\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ign.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {555fa9a7-f611-4e81-b16d-6045e16659c9} - C:\DOCUME~1\DANTES~1\APPLIC~1\gpvblwssh.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O3 - Toolbar: arcblbllchs - {ad0378e8-1e4c-401f-aca5-664e4f281ece} - C:\DOCUME~1\DANTES~1\APPLIC~1\gpvblwssh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12110/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37822.1861458333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12110/CTPID.cab

Note: For AIM *aol instant messanger, I know you all know what AIM is, but just in case...* I'm using Deadaim 4.0, and for MSN i'm using MSN 6 with Plus! installed as an addon, i'm fairly sure those aren't of any problem, but I thought it maybe helpfull for that to be noted.

At any rate, if someone could please help me with this, I would so greatly appreciate it, I just recently reformatted my hdd and this damn thing popped up, i'm sure all of you realise the frustration. Anyways thanks to anyone who took the time out of their day to read this post, I appreciate any and all comments, thanks 

PS. Oh, and one last thing, Norton Utilities 2003 has "removed" it several times, I checked through my registry where Norton told me to look and to no avail, Spybot has never found anything about it and the file "explorer.exe" frequently and randomly appears on my C drive, I know thats the trojan but...eh, well you all get what I mean, i'll end this here since i'm frustrated to hell with this thing. Thanks Again.


----------



## Flrman1 (Jul 26, 2002)

Hi Veledan

Welcome to TSG!

Rub hijack This again and put a check by these. close all browser windows and "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html

O2 - BHO: (no name) - {555fa9a7-f611-4e81-b16d-6045e16659c9} - C:\DOCUME~1\DANTES~1\APPLIC~1\gpvblwssh.dll

O3 - Toolbar: arcblbllchs - {ad0378e8-1e4c-401f-aca5-664e4f281ece} - C:\DOCUME~1\DANTES~1\APPLIC~1\gpvblwssh.dll

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

Restart your computer

Also go here http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_SDBOT.05.AX for info on sdbot. You may want to give the Trend Micro System Cleaner a try it is on that page.


----------



## Veledan (Jul 24, 2003)

Thanks a lot! I did exactly what you told me and it seems to have worked, I haven't gotten a pop-up from that damn thing yet, thanks again for all your help, but one last question about this; in my Hijackthis! folder it seems that the files it fixed were backed up inside that folder, do you think it'd be safe for me to get rid of those? Again, I have to thank you for the help, I can finally enjoy my reformatted PC again without having to worry about that damn virus, i'll try and return the favor somehow, Take Care

Oh, and i'd normally have NO problem at all donating..but as of late I haven't been in the best financial situation, but once I do get some "fun money" i'll be sure to toss some your way.


----------



## Flrman1 (Jul 26, 2002)

You're welcome Veledan!

As a general rule I would say to leave the backups for a week or so to give enough time to make sure you haven't inadvertantly removed something you want/need. 

Happy Surfing!


----------



## billbee (Jul 25, 2003)

I also have the system32.exe problem - here is the log. Hope you can help

BillBee

Logfile of HijackThis v1.95.1
Scan saved at 10:30:44 AM, on 7/25/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
C:\WINDOWS\SYSTEM\SYSTEM32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKICE.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\EBAYTBAR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\AWHOST32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/?u
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\EBAYBAND.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\PROGRAM FILES\E-BOOK SYSTEMS\FLIPVIEWER\FPLAUNCH.DLL
O2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - C:\PROGRAM FILES\POPUP ELIMINATOR\AUTODISPLAY490.DLL
O3 - Toolbar: Adult Links - {765E6B09-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\DOWNLO~1\QCBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Popup Eliminator - {F50CE767-AE72-45EB-AECD-E8786C240373} - C:\PROGRAM FILES\POPUP ELIMINATOR\PETOOLBAR490.DLL
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\EBAYBAND.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [System32] System32.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [LoadBlackD] "C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE"
O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKLM\..\RunServices: [System32] System32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Startup: eBay Toolbar.LNK = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EBAYTBAR.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Popup Eliminator (HKLM)
O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
O9 - Extra button: eBay Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: eBay Toolbar (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.trinsic.org/download_serial.exe
O16 - DPF: {1D2DCA0D-B30F-40AD-9690-087105F214EC} (IEDial Class) - http://usa-download.nocreditcard.com/download/Object/DialerHTML/ieaccess3.cab
O16 - DPF: {765E6B09-6832-4738-BDBE-25F226BA2AB0} (Adult Links) - http://www.mainentrypoint.com/linkzz/QcBar.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37699.579849537
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.visuallearner.com/TSCCinst.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe
O16 - DPF: {001F2570-5DF5-11D3-B991-00A0C9BB0874} (eBay Helper Object) - http://download.ebay.com/toolbar/eBayTBar.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = vqgi.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.21.128.22,216.21.129.22


----------



## Flrman1 (Jul 26, 2002)

Hi billbee

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

O3 - Toolbar: Adult Links - {765E6B09-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\DOWNLO~1\QCBAR.DLL

O4 - HKLM\..\Run: [System32] System32.exe

O4 - HKLM\..\RunServices: [System32] System32.exe

O16 - DPF: {1D2DCA0D-B30F-40AD-9690-087105F214EC} (IEDial Class) - http://usa-download.nocreditcard.co...L/ieaccess3.cab

O16 - DPF: {765E6B09-6832-4738-BDBE-25F226BA2AB0} (Adult Links) - http://www.mainentrypoint.com/linkzz/QcBar.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = vqgi.com

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.21.128.22,216.21.129.22
Restart your computer and delete 
The C:\WINDOWS\SYSTEM\SYSTEM32.EXE file (you may have to restart in safe mode to delete this file) Look here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for info on how to start in safe mode.

What you are probably going to need to do is download this exefix08 utility avaliable on Reticulated Toys,

http://home.earthlink.net/~rmbox/Reticulated/Toys.html

unzip it and then restart in Safe Mode

Run the exefix because the system32.exe may have attached itself to registry shell open commands which will execute any time an exe is run.

You may also want to go here and do an online virus scan.
http://housecall.trendmicro.com/

Now download Spybot here http://www.tomcoyote.org/SPYBOT/, if you haven't already got the program.

Install the program and launch it.

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
That should remove most of your spy/adware.

Now restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Also go here http://www.net-integration.net/cgi-...=ST;f=38;t=3051 for info on how to help prevent future attacks. On this page you will find a link to Javacool's SpywareBlaster. Get it also and keep it updated frequently.


----------



## Alekos (Jul 26, 2003)

Hi...
I have the same prob as many others here, and i hope you can help me too...
here is my loc:

Logfile of HijackThis v1.95.1
Scan saved at 22:23:49, on 26.07.2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\System32.exe
C:\Programme\RF Wireless Device\cm20.exe
C:\Programme\DownloadWare\dw.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Trojancheck 6\tcguard.exe
C:\t-online\Browser\Browser.exe
C:\DOKUME~1\Alekos\LOKALE~1\Temp\Rar$EX00.653\HijackThis.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F0 - system.ini: Shell=
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Programme\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Programme\MediaLoads Enhanced\ME2.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Assistent - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Programme\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Programme\RF Wireless Device\cm20.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Programme\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [KAZAA] "C:\Programme\Kazaa Lite\kpp.exe" "C:\Programme\Kazaa Lite\kazaalite.kpp" /SYSTRAY
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Ulead Photo Express SE Calendar Checker.lnk = C:\Programme\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Erinnerungen für Microsoft Works-Kalender.lnk = ?
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Assistent) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFC68E10-C118-4692-B9E1-C1D04E5AC312}: NameServer = 217.5.99.9 194.25.2.129

i also read that this virus renames itself and svchost.exe runs in the background. i have the information, that i should search this file and delete it, but i cann't found...so i hope you can help...


----------



## Flrman1 (Jul 26, 2002)

Hi Alekos

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

F0 - system.ini: Shell=

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Programme\MyWay\myBar\1.bin\MYBAR.DLL

O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Programme\MediaLoads Enhanced\ME2.DLL

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Programme\MyWay\myBar\1.bin\MYBAR.DLL

O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Programme\DownloadWare\dw.exe" /H

O17 - HKLM\System\CCS\Services\Tcpip\..\{BFC68E10-C118-4692-B9E1-C1D04E5AC312}: NameServer = 217.5.99.9 194.25.2.129

Restart your computer in safe mode and delete
The C:\WINDOWS\System32\System32.exe file
See here http://service1.symantec.com/SUPPOR...001052409420406 on how to start in safe mode if you don't know how.

Next Please do the following:

Download Spybot - Search & Destroy here http://security.kolla.de/ , if you haven't already got the program.
Install the program, and launch it.

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
That should remove most of your spy/adware.

When you're done restart your computer.

Be sure and take advantage of the "Immunize" feature. It will help protect you from future attacks.

Also go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to help prevent it. On this page you will find a link to Javacool's SpywareBlaster. Get it and install it . Be sure to check for udates frequently. These two together will go a long way toward keeping you spyware free.


----------



## Alekos (Jul 26, 2003)

Thank you very much firman1.
My system is ok now...


----------



## Flrman1 (Jul 26, 2002)

Glad to help!


----------



## JakeKool (May 23, 2003)

hm this is not sdbot stuff please close this thread ? shrug

ps if anyone wants to code a generic sdbot remover gimme an email its in my profile


----------



## fwilson (Jun 20, 2003)

HI,
Have now picked up the virus W32.Kwbot.F.Worm which apparently can run Backdoor.SDBot. Here is my HijackThis file - TopBanana was a great help a few weeks ago so I'm pinning my hopes on this forum.

Logfile of HijackThis v1.95.0
Scan saved at 21:55:36, on 29/07/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Fiona Wilson\Desktop\Windows Media player 9.5b.exe
C:\WINDOWS\System32\ms_bak.tmp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Fiona Wilson\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by blueyonder
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [RDLL] RunDll16.exe
O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/plugins/en_US/DjVuControl.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.blueyonder.co.uk/html/software/instantsupport/tool/files/MotivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks v. much in advance!


----------



## TonyKlein (Aug 26, 2001)

Check, and have Hijack This fix the following items:

*O4 - HKLM\..\Run: [RDLL] RunDll16.exe
O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe*

Now restart your computer, and delete the RunDll16.exe file, if it's still there.

I don't see it running though, so it may be gone already.


----------



## fwilson (Jun 20, 2003)

Thank you! Seems to be all clear now. This forum's great!


----------



## TonyKlein (Aug 26, 2001)

Excellent!


----------



## sirgalin (Jul 31, 2003)

here is my hijack log

Logfile of HijackThis v1.95.1
Scan saved at 12:12:19 PM, on 7/31/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\Grokster\Grokster.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Advertising Killer\akiller.exe
D:\Shareaza\Shareaza.exe
C:\Program Files\MozillaFirebird\MozillaFirebird.exe
C:\WINDOWS\System32\taskmgr.exe
D:\eMule\emule.exe
D:\Winrar\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.703\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srng.net/search/9885/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9885&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchenhancement.com/searchbar/iev1.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\Gr02.dll
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\Program Files\scbar\v1\scbar.dll
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4EB} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\AcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper.dll
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778} - (no file)
O2 - BHO: Support Software - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\Support Software\SS2.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KAZAA] D:\Grokster\Grokster.exe /SYSTRAY
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [AKiller] "D:\Advertising Killer\akiller.exe"
O4 - HKCU\..\Run: [Shareaza] "D:\Shareaza\Shareaza.exe" -tray
O8 - Extra context menu item: Download with GetRight - D:\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\GetRight\GRbrowse.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab

please feel free to let me know what is not needed beyond what may be a problem (ie. winrar.exe, is it necessary in here to run the program) as well stuff like the "shockwave" values.

thanks.


----------



## sirgalin (Jul 31, 2003)

also, spybot couldnt remove 2 cydoor entries in system32 folder cd_htm.dll and cd_clint.dll, i havent tried restart and remove but are these a problem?

thanks,


----------



## dipak (Aug 1, 2003)

hey there folks i got the same problem and was wondering if you wouldnt mind giving me a helping hand on how to fix it. i would also want to know how this got on my system??? anyways here my hjt log:

Logfile of HijackThis v1.95.1
Scan saved at 13:20:45, on 01/08/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\CTsvcCDA.EXE
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton Internet Security\NISUM.EXE
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\Explorer.exe
F:\Program Files\Sygate\SPF\Smc.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Norton Internet Security\SymProxySvc.exe
F:\WINDOWS\System32\MsPMSPSv.exe
F:\Program Files\Norton Internet Security\NISSERV.EXE
F:\WINDOWS\System32\System32.exe
F:\Program Files\Norton Internet Security\IAMAPP.EXE
F:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\Creative\ShareDLL\CtNotify.exe
F:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
F:\Program Files\Creative\ShareDLL\MediaDet.Exe
F:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
F:\WINDOWS\System32\RUNDLL32.EXE
F:\WINDOWS\System32\devldr32.exe
C:\Program Files\NetPumper\NetPumperIEProxy.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Messenger Plus! 2\MsgPlus.exe
F:\Program Files\Winamp\Winampa.exe
F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bundle.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\CursorXP\CursorXP.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\Program Files\SAMSUNG\RF KeyboardMouse\mmkbd.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\WinRAR\WinRAR.exe
F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.829\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F:\WINDOWS\System32\blank.htm
F0 - system.ini: Shell=Explorer.exe F:\WINDOWS\System32\System32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3826409e-fd8d-4814-b8f5-0c6ab8ba29b7} - F:\DOCUME~1\ADMINI~1\APPLIC~1\phoiellgry.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\windows\downloaded program files\googletoolbar_en_1.1.70-big.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\windows\downloaded program files\googletoolbar_en_1.1.70-big.dll
O3 - Toolbar: tqufruieprb - {f1d996ae-ae0d-46a7-af6d-2f2dcf8bccb4} - F:\DOCUME~1\ADMINI~1\APPLIC~1\phoiellgry.dll
O4 - HKLM\..\Run: [iamapp] F:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Disc Detector] F:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] F:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] F:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "F:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WT GameChannel] F:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [MessengerPlus2] "F:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [WinampAgent] "F:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SAHBundle] F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [SmcService] F:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] F:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [MessengerPlus2] "F:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [SureCleanProfessional] "F:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RF Keyboard&Mouse Program.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://f:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://f:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://f:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmcache.html
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://f:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://f:\windows\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmtrans.html
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://www.wildtangent.com/install/jvm/msjavx86_3805.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - http://moneymanager.egg.com/activex/accounttracking.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/06b09c7933939d4b1f05/netzip/RdxIE2.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.60-big/GoogleNav.cab
O16 - DPF: {7380B862-BA18-4529-8972-C66B82AA5D1D} (AccountTracking Class) - http://moneymanager.egg.com/customer/accounttracking.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37643.2318055556
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/arcadegames/meteormadness/eacom/wtinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security3.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab


----------



## shortnpretty (Mar 2, 2003)

Welcome to TSG dipak and sirgalin

If you post your HJT log in new, separate threads, you most likely would get help sooner...  Just a suggestion. The techs have many, many logs to review and its easier for them to find them in threads separated by separate posts.

GOOD LUCK!! :up:


----------



## dipak (Aug 1, 2003)

thanks for the advise but how do i do that?


----------



## shortnpretty (Mar 2, 2003)

Excellent job dipak...you got it. :up: Now someone that knows more how to read the HJT (i'm learning) will see your post and help ya. 

GOOD LUCK!!


----------



## Vash-TS (Jul 26, 2003)

i've got the same problem. and a porn pop up problem 
help me PLZZZZZ..

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\System32\System32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
D:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
D:\Program Files\Common Files\CMEII\CMESys.exe
C:\PROGRA~1\DAP\DAP.EXE
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\RSNet\RSEDNClient.exe
D:\WINDOWS\System32\aupdate.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Documents and Settings\Chris\Application Data\DownloadPlus.exe
C:\Program Files\BitTorrent++\BT++.exe
D:\Program Files\rb32\rb32.exe
C:\Program Files\Winamp3\winamp3.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\System32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F0 - system.ini: Shell=Explorer.exe D:\WINDOWS\System32\System32.exe
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D8E25C53-9508-4f5c-9249-D98D438891D5} - D:\WINDOWS\System32\ssurf022.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - D:\WINDOWS\System32\shdocvw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] D:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [CMESys] "D:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinFast_2K] D:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [LogonStudio] "D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SafeSurfingUpdate] D:\Program Files\SafeSurfing\SSUpdate.exe
O4 - HKLM\..\Run: [rb32 lptt01] "D:\Program Files\rb32\rb32.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] D:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [AutoUpdater] D:\WINDOWS\System32\aupdate.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Download Plus.lnk = D:\Documents and Settings\Chris\Application Data\DownloadPlus.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: GStartup.lnk = D:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2003071801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37754.4508796296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.com/Installer/rsinstaller.cab


----------



## Flrman1 (Jul 26, 2002)

Vash-TS

You have the RapidBlaster parasite.
First click on the link below and it will download RapidBlaster Killer. Close all browser windows. Launch the program and hit the Scan button.
RBKiller will find any RapidBlaster variants on your system, will kill the process, and delete the Registry Run entry. When it is finished restart your computer.

http://www.spywareinfo.com/downloads/rbkiller/rbkiller.exe

Finally go here http://spybot.eon.net.au/index.php?...n&page=download and download Spybot.

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds.

Restart your computer.

Come back and post another Hijack This log and we'll see if there is anything left.


----------



## Flrman1 (Jul 26, 2002)

ATTENTION!!!!

Anyone who has posted in this thread and has been overlooked or anyone who is about to post in this thread that needs help with a Hijack This log.

Please start your own thread. You will get help quicker. It is always better to start your own thread as these threads that have been going on and on get very confusing and many people get lost in the shuffle. Also many of the techs that come here will be looking for new threads and not likely to see your post buried in here.


----------



## axtel (Aug 3, 2003)

I have this virus on our Network. I downloaded the hijack.exe tool and have created a log file from one of the network pc.

this is the log

Logfile of HijackThis v1.96.0
Scan saved at 12:11:21 PM, on 8/3/03
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Navnt\vpexrt.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\System32\loadwc.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\PROGRA~1\Navnt\vptray.exe
C:\WINNT\loadqm.exe
C:\Program Files\Apserver\AON.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINNT\system32\rasmon.exe
C:\WINNT\System32\ddhelp.exe
C:\Program Files\Master Convertor\MCONVERT.EXE
C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe
C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe
\Ntserver\Emails_rcvd\2003\August 03\02.08.03\HIJACKTH.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKCU\..\Run: [AON] C:\Program Files\Apserver\AON.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = axtel_pdc
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 202.164.96.1

PLEASE LET ME KNOW WHAT SHOULD I DO NOW ? HOW DO I ELIMINATE THIS VIRUS OVER THE NETOWRK ALSO ?


----------



## Vash-TS (Jul 26, 2003)

Thanks flrman
Here's my new log

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
D:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\DAP\DAP.EXE
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Documents and Settings\Chris\Application Data\DownloadPlus.exe
D:\Chris\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\System32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F0 - system.ini: Shell=Explorer.exe D:\WINDOWS\System32\System32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] D:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [WinFast_2K] D:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [LogonStudio] "D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VOBRegCheck] D:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] D:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Download Plus.lnk = D:\Documents and Settings\Chris\Application Data\DownloadPlus.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)


----------



## Flrman1 (Jul 26, 2002)

Vash-TS 

It looks like you missed part of your log there. Please post your log again and be sure to post all of it.


----------



## Flrman1 (Jul 26, 2002)

axtel 

Welcome to TSG!

I am not seeing sdbot in that log. Please go back to the main security forum and click on "New Thread" and start your own thread. You will get more people looking at it and maybe someone will spot something I am missing.


----------



## Flrman1 (Jul 26, 2002)

> _Originally posted by flrman1:_
> *Vash-TS
> 
> It looks like you missed part of your log there. Please post your log again and be sure to post all of it. *


In the meantime go ahead and run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

F0 - system.ini: Shell=Explorer.exe D:\WINDOWS\System32\System32.exe

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O4 - HKLM\..\Run: [TkBellExe] D:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKCU\..\Run: [Red Swoosh EDN Client] D:\Program Files\RSNet\RSEDNClient.exe

O4 - Startup: Download Plus.lnk = D:\Documents and Settings\Chris\Application Data\DownloadPlus.exe

These below are optional, but I would recommend getting rid of them too.

O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

When finished Restart your computer in safe mode and delete:
The D:\WINDOWS\System32\System32.exe file

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

Run Hijack This again and see if there wasn't any additional 09 and 016 entries etc... that weren't included in the last log. There should have been. If so post another log and we'll see if there wasn't something there that needed to go.


----------



## alexd (Aug 5, 2003)

hi..i have this virus on my computer...i did manage to delete system32.exe however my comp now gives me some bogus error message saying it cant find system32exe...and i have some weird user with the IP of usen-221.114.192.141.ad.jp:56498 connected to me...heres my hijack log

Logfile of HijackThis v1.96.0
Scan saved at 3:00:33 PM, on 8/5/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
c:\winnt\system32\qossrv\aysshell.exe
C:\winnt\system32\qossrv\csrss.exe
D:\norton\navapsvc.exe
D:\norton\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Ad-Aware 6\Ad-aware.exe
D:\Internet Download Manager\IDMan.exe
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\k1ba3937.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - D:\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\norton\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - D:\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\norton\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\norton\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [IDMan] D:\Internet Download Manager\IDMan.exe /onboot
O8 - Extra context menu item: Download with IDM - D:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37736.7938310185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4282/mcfscan.cab


----------



## Vash-TS (Jul 26, 2003)

flrman

Is it safe to delete system32.exe ?
Will it mess up my computer if i delete it?


----------



## $teve (Oct 9, 2001)

alexd.........welcome to T.S.G

put a checkmark next to this entry,close all browser windows and hit"fix checked"

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe

and then find and delete the file c:\windows\system32\system32.exe

re-boot and the message should be no more.
rest of log is clean


----------



## Flrman1 (Jul 26, 2002)

> _Originally posted by Vash-TS:_
> *flrman
> 
> Is it safe to delete system32.exe ?
> Will it mess up my computer if i delete it? *


System32.exe is not a valid windows file it is essential that you get rid of it.


----------



## Vash-TS (Jul 26, 2003)

Okay im gonna delete it.
Here is my new log.

Logfile of HijackThis v1.96.0
Scan saved at 13:32:02, on 7-8-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\DAP\DAP.EXE
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\BitTorrent++\BT++.exe
D:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Chris\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\System32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [WinFast_2K] D:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [LogonStudio] "D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VOBRegCheck] D:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] D:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2003071801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37754.4508796296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Flrman1 (Jul 26, 2002)

Vash-TS

Looks like you got it all. :up:

I assume you deciced to keep these:

O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

Happy Surfing!


----------



## Vash-TS (Jul 26, 2003)

Yeah thanks for helping me


----------



## Flrman1 (Jul 26, 2002)

You're Welcome Vash-TS! 


:up:


----------



## rthyfault (Aug 12, 2003)

Hey... Sorry to add on to the heap of these. NAV detects the ol' backdoor.SdBot virus, but can't quarantine or delete it. : ( Here's the Hijack log - any help would be oh-so appreciated!!!!

Logfile of HijackThis v1.96.0
Scan saved at 2:12:10 AM, on 8/12/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\System32.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijack This!\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*[url]http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*[url]http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.wmich.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*[url]http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*[url]http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*[url]http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*[url]http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*[url]http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*[url]http://www.yahoo.com
F0 - system.ini: Shell=Explorer.exe C:\WINNT\System32\System32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\DeadAIM.ocm",ExportedCheckODLs
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab


----------



## cyclone9 (Aug 12, 2003)

Logfile of HijackThis v1.96.0
Scan saved at 10:50:45 PM, on 8/12/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\stardock\TrayServer.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\netd32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\VCool\VCool.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\neWt0n9\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.warcraftreplays.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\stardock\TrayServer.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - Startup: VCool.lnk = C:\Program Files\VCool\VCool.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Customize &Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &^ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &^ (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37845.0370717593
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D3FA309-228E-4C39-B8EF-10D1F9409F70}: NameServer = 192.228.128.20 192.228.128.18

HEelp plz


----------



## $teve (Oct 9, 2001)

rthyfault........

check these items in hijackthis,close all browser windows and "fix checked"


O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


re-boot into safe mode and delete:
C:\WINNT\System32\System32.exe


----------



## $teve (Oct 9, 2001)

cyclone9......

check these items in hijackthis,close all browser windows and "fix checked"
O4 - HKLM\..\Run: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe

reboot into safe mode,find and delete the folowing:
C:\WINDOWS\System32\netd32.exe
C:\WINDOWS\UpdReg.EXE

then go here:http://housecall.trendmicro.com/
and run an on-line A/V scan to see if all is clean.


----------



## BillyShakes (Aug 13, 2003)

I'm another that's been infected.

Question: My comp has been working REEEEALLY slowly... would this be a result of this Backdoor thingie?

Here's my Hijack Log:

Logfile of HijackThis v1.96.0
Scan saved at 10:08:38 PM, on 8/12/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\System32\TFNF5.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sticks\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stickstuff.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O1 - Hosts: 216.239.51.99 www.kazaagold.com
O1 - Hosts: 216.239.51.99 www.kazaa-gold.com
O1 - Hosts: 216.239.51.99 kazaagold.com
O1 - Hosts: 216.239.51.99 www.k-lite.com
O1 - Hosts: 216.239.51.99 www.kazaa-download.de
O1 - Hosts: 216.239.51.99 www.mp3downloadhq.com
O1 - Hosts: 216.239.51.99 www.easymusicdownload.com
O1 - Hosts: 216.239.51.99 easymusicdownload.com
O1 - Hosts: 216.239.51.99 www.mp3madeeasy.com
O1 - Hosts: 216.239.51.99 www.monstershare.com
O1 - Hosts: 216.239.51.99 monstershare.com
O1 - Hosts: 216.239.51.99 www.kazaa-plus.net
O1 - Hosts: 216.239.51.99 kazaa-plus.net
O1 - Hosts: 216.239.51.99 www.kazaa-plus.com
O1 - Hosts: 216.239.51.99 www.edonkey.com
O1 - Hosts: 216.239.51.99 www.kazaa-file-sharing-downloads.com
O1 - Hosts: 216.239.51.99 www.kazaaplatinum.com
O1 - Hosts: 216.239.51.99 www.madeformusic.com
O1 - Hosts: 216.239.51.99 www.ikazaa.net
O1 - Hosts: 216.239.51.99 ikazaa.net
O1 - Hosts: 216.239.51.99 www.mp3u.com
O1 - Hosts: 216.239.51.99 www.mp3specialty.com
O1 - Hosts: 216.239.51.99 music-download-world.com
O1 - Hosts: 216.239.51.99 song-download-world.com
O1 - Hosts: 216.239.51.99 www.flixs.net
O1 - Hosts: 216.239.51.99 www.ishareit.net
O1 - Hosts: 216.239.51.99 www.ishareit.com
O1 - Hosts: 216.239.51.99 www.download-doctor.com
O1 - Hosts: 216.239.51.99 www.ezmp3download.com
O1 - Hosts: 216.239.51.99 www.kazaamedia.com
O1 - Hosts: 216.239.51.99 mp3-network.com
O1 - Hosts: 216.239.51.99 www.mp3-network.com
O1 - Hosts: 216.239.51.99 www.mp3grandcentral.net
O1 - Hosts: 216.239.51.99 www.mp333.com
O1 - Hosts: 216.239.51.99 www.kazaamate.com
O1 - Hosts: 216.239.51.99 www.kazaa-download.de
O1 - Hosts: 216.239.51.99 www.emule.biz
O1 - Hosts: 216.239.51.99 www.kazaam8.tk
O1 - Hosts: 216.239.51.99 www.rippro.com
O1 - Hosts: 216.239.51.99 www.kaaza.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [MOD] c:\program files\microangelo\muamgr.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKCU\..\Run: [sagnt] C:\WINDOWS\sagnt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB8D1AA8-1C6E-423A-873C-61C0508929C7}: NameServer = 216.249.40.1 216.249.32.1

thanks for any help!


----------



## silentguy (Aug 13, 2003)

Mine

Logfile of HijackThis v1.96.0
Scan saved at 14:21:59, on 13/08/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\PestPatrol\PPMemCheck.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
C:\Program Files\Extensis\Suitcase\Suitcase.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINNT\System32\System32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\PROGRA~1\3M\PSN2Lite\PSNGive.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.tinybar.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.tinybar.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tinybar.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.tinybar.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.tinybar.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.tinybar.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.tinybar.com/ie/
F0 - system.ini: Shell=Explorer.exe C:\WINNT\System32\System32.exe
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_80.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar_en_1.1.70-deleon.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - C:\WINNT\system32\shdocvw.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar_en_1.1.70-deleon.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\SBLive2k\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [sp] regedit -s C:\WINNT\sp.reg
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Tray] C:\Documents and Settings\Administrator\Desktop\palestine.exe
O4 - HKLM\..\Run: [Corel Graphics Suite 1117] C:\Program Files\Corel\Corel Graphics 11\Register\registration.exe /title="Corel Graphics Suite 11" /date=111502 serial=DR11CRD-0012082-DGW
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINNT\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PPMemCheck] "C:\Program Files\PestPatrol\PPMemCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [SalatTimes] "Salat.exe" /t 0
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - Global Startup: Suitcase Startup.lnk = C:\Program Files\Extensis\Suitcase\Suitcase.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmsearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host3.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D2DCA0D-B30F-40AD-9690-087105F214EC} (IEDial Class) - http://download.nocreditcard.com/download/Object/ieaccess2.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/018feb96d460d7236621/netzip/RdxIE2.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.57-deleon/GoogleNav.cab
O16 - DPF: {7BC974EF-A718-4A17-B77E-4C8DBC327AFA} (SCE Control) - http://www.voloper.com/sce/editor.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://216.65.38.226/Download_Plugin.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsoradulto.com/SysWebTelecom.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://bins.whazit.com/cerials/downloader.cab
O16 - DPF: {DD521A1D-1F98-11D4-9676-00E018981B9E} (New.net Installer) - http://a117.g.akamai.net/7/117/3136/200301290930/www.new.net/download/tldctl2.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/racing/dodgespeedway/microsoft/wtinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0ED4E0FE-471A-4A07-961F-271A3C6CDC1A}: NameServer = 158.43.240.3 158.43.240.4


----------



## ChicagoPanda (Aug 13, 2003)

To the contributors on this site, thank you for creating such an informative and useful site. I dont believe I have any problems here, but I have my suspicions so well start with this; would one of you be good enough to review my hijack log to confirm there are no unwanted guests. Thank You

Logfile of HijackThis v1.96.0
Scan saved at 8:17:22 AM, on 8/13/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY 1.1\SPYBOTSD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\HOTTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\NMAIN.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMSTATS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
E:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coldwellbanker.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;g3v6o6
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {B405EE45-1AA2-410D-A6CF-1A74371DCD62} - C:\WINDOWS\SYSTEM\HOTLINK.DLL__SpybotSDDisabled (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~3\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SpyBotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY 1.1\SPYBOTSD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O8 - Extra context menu item: Search &Infoseek - C:\WINDOWS\web\selmenu.htm
O8 - Extra context menu item: Translate &Text - C:\WINDOWS\web\tranmenu.htm
O8 - Extra context menu item: &Translate Page - C:\WINDOWS\web\urlmenu.htm
O8 - Extra context menu item: Search Using Express - C:\Program Files\Infoseek\Express\Program\webdocs\search_phrase_IE.html
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Atomica... - file:C:\PROGRA~1\ATOMICA\ATOMIC~1\Html\griemenu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: PD (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://*.foodtv.com
O15 - Trusted Zone: http://housecall.antivirus.com
O15 - Trusted Zone: http://www.police.edmonton.ab.ca
O15 - Trusted Zone: http://www.gov.edmonton.ab.ca
O15 - Trusted Zone: http://www.ede.org
O15 - Trusted Zone: http://www.spreadgood.com
O15 - Trusted Zone: http://www.exn.ca
O15 - Trusted Zone: http://www.nationallampoon.com
O15 - Trusted Zone: http://www.famousplayers.ca
O15 - Trusted Zone: http://ecardview.hallmark.com
O15 - Trusted Zone: http://www.hallmark.com
O15 - Trusted Zone: http://www.boma.ca
O15 - Trusted Zone: http://www.creb.com
O15 - Trusted Zone: http://www.oldscollege.ab.ca
O15 - Trusted Zone: www.canadahomesearch.com
O15 - Trusted Zone: http://www.homesacrosscanada.com
O15 - Trusted Zone: http://www.marriott.com
O15 - Trusted Zone: http://inc.toysrus.com
O15 - Trusted Zone: http://news.bbc.co.uk
O15 - Trusted Zone: http://www.dreammates.com
O15 - Trusted Zone: http://www.coldwellbanker.ca
O15 - Trusted Zone: http://www.tropico2.com
O15 - Trusted Zone: http://spybot.safer-networking.de
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Template Gallery) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://maps.gov.edmonton.ab.ca/acgm705/acgm.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37595.0271296296
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {5B27C20D-FFB6-4054-BA78-DE4A059BC75A} (Microsoft Office Template Downloader) - http://office.microsoft.com/ca/TemplateGallery/msotd.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab


----------



## entendu1450 (Aug 13, 2003)

hey... i also caught the Backdoor.sdbot virus (like the thousands of people that ur helping out)... anyway here is my list... it would be really great of ur if u can tell me which ones to delete heres my list...

Logfile of HijackThis v1.96.0
Scan saved at 2:19:52 PM, on 8/13/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\System32.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\DelFin\PromulGate\PgMonitr.exe
C:\WINDOWS\TVTMD.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hotbar\bin\4.3.1.0\HbInst.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ClientMan\mscman.exe
C:\Program Files\ClientMan\msckin.exe
C:\Program Files\AdsGone\adsgone.exe
c:\program files\clientman\run\ause3.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Winamp3\winamp3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chucklez_da_Klown\My Documents\Chuck's Stuff\HijackThis.exe

R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINDOWS\System32\emesx.dlltmp
O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\FOne.dll
O2 - BHO: (no name) - {00000580-C637-11D5-831C-00105AD6ACF0} - C:\WINDOWS\MSView.DLL
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\lwz.dll
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - c:\PROGRA~1\CLIENT~1\run\2IN188~1.DLL
O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\Program Files\SuperBar\SuperBar.Dll (file missing)
O2 - BHO: (no name) - {166348F1-2C41-4C9F-86BB-EB2B8ADE030C} - c:\program files\clientman\run\msvrfy856c4943.dll
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - c:\PROGRA~1\CLIENT~1\run\TRACKU~1.DLL
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_20.dll
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778} - C:\Program Files\POP\pop167.dll (file missing)
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - C:\WINDOWS\System32\veg32.dll
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL
O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - c:\program files\clientman\run\dnsrepa9c22ca5.dll
O2 - BHO: (no name) - {A097840A-61F8-4B89-8693-F68F641CC838} - c:\program files\clientman\run\urlcli50c9d9fa.dll
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.1.0\HbHostIE.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: SuperBar - {9FF0F8A5-5191-43B2-9389-D2F19A502E9E} - C:\Program Files\SuperBar\SuperBar.Dll (file missing)
O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.1.0\HbHostIE.dll
O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [System-Service] C:\WINDOWS\SYSTEM\EXPLORER.SCR
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [gsszxsrx] C:\WINDOWS\System32\gsszxsrx.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MemoryMeter] C:\Program Files\MemoryMeter\MemoryMeter.exe
O4 - HKLM\..\Run: [TVTMD] C:\WINDOWS\TVTMD.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.3.1.0\HbInst.exe /Upgrade
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ClientMan1] C:\Program Files\ClientMan\mscman.exe
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: AdsGone 2003.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Ebates (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mps: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: NM_Chat - http://netmarble.net/NM_Chat.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50006/btiein.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {3F0F06F0-D240-415F-8E19-8EA678532632} (NPKXWeb Control) - http://211.39.158.200/keycrypt/npkxweb.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {53F55D30-56CC-4258-8617-4A9F48E7F572} (NexgramAPIClass Class) - http://www.buddybuddy.co.kr/cab/nexweb.cab
O16 - DPF: {575594D5-8974-4AFE-9919-8FE4AA687DEF} (Nhnplayer Control) - http://stream.mukulcast.com/webcast/nhnplayerx.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/260/nCaseInstaller.cab
O16 - DPF: {78FEC40E-BC0C-11D6-B084-0050BF61D8C9} (PVNPA Class) - http://web.neople.feelamint.com/neople/photual/PhotualVenusNeopleA.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://208.158.118.13/AxisCamControl.ocx
O16 - DPF: {91F890E4-B953-4370-993C-F515EB480004} (FaV_AFX Control) - http://210.114.220.149/comebackhome.cab
O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://211.39.158.200/npkxsite/npkxsite.cab
O16 - DPF: {A19A291A-9653-4498-93F6-5BA06CF699D8} - http://download.peopleonpage.com/pop/ads/247/ax/PopLoad.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (session Class) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {ABCDEFED-935F-11D3-A25B-006097755A02} - http://res2.ohmylove.co.kr/avchat/avchatatx.cab
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab
O16 - DPF: {B74AE2CF-1765-4A81-A31B-1AFA84EE11FE} (NeoPle Control) - http://web.neople.feelamint.com/neople/neople.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.net/nProtect/module/netmarble/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E66235-7AA6-44ED-A06C-6F2033B1D993} - http://distribution.trafficsyndicate.com/msiein.cab
O16 - DPF: {DAAD8E43-FAC2-41DD-8F02-9D2BD626F4BB} (AVChat_Inst Control) - http://chat.saram.net/avchat/AVChat_InstProj1.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.117/install.exe
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
O16 - DPF: {F49A7BC3-8EC9-4817-952D-D75527B75F2D} (VoiceChat Class) - http://61.78.39.35/VCSpider/voicechatatx.cab
O16 - DPF: {F82CC28F-935F-11D3-A25B-006097755A02} (avchatAtx Class) - http://res2.ohmylove.co.kr/chat/avchatatx.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.clock-sync.com/ClockSyncAutoSYNC0014.cab
O16 - DPF: {FD51F382-078C-4FDB-81F1-EED9ECEC31C9} (DameSetupInit Class) - http://messenger.daum.net/download/dmsetupi.cab

Thnk you so much for ur help!~


----------



## $teve (Oct 9, 2001)

billyshakes..........welcome

check these items,close all browser windows and "fix checked"

0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O1 - Hosts: 216.239.51.99 www.kazaagold.com
O1 - Hosts: 216.239.51.99 www.kazaa-gold.com
O1 - Hosts: 216.239.51.99 kazaagold.com
O1 - Hosts: 216.239.51.99 www.k-lite.com
O1 - Hosts: 216.239.51.99 www.kazaa-download.de
O1 - Hosts: 216.239.51.99 www.mp3downloadhq.com
O1 - Hosts: 216.239.51.99 www.easymusicdownload.com
O1 - Hosts: 216.239.51.99 easymusicdownload.com
O1 - Hosts: 216.239.51.99 www.mp3madeeasy.com
O1 - Hosts: 216.239.51.99 www.monstershare.com
O1 - Hosts: 216.239.51.99 monstershare.com
O1 - Hosts: 216.239.51.99 www.kazaa-plus.net
O1 - Hosts: 216.239.51.99 kazaa-plus.net
O1 - Hosts: 216.239.51.99 www.kazaa-plus.com
O1 - Hosts: 216.239.51.99 www.edonkey.com
O1 - Hosts: 216.239.51.99 www.kazaa-file-sharing-downloads.com
O1 - Hosts: 216.239.51.99 www.kazaaplatinum.com
O1 - Hosts: 216.239.51.99 www.madeformusic.com
O1 - Hosts: 216.239.51.99 www.ikazaa.net
O1 - Hosts: 216.239.51.99 ikazaa.net
O1 - Hosts: 216.239.51.99 www.mp3u.com
O1 - Hosts: 216.239.51.99 www.mp3specialty.com
O1 - Hosts: 216.239.51.99 music-download-world.com
O1 - Hosts: 216.239.51.99 song-download-world.com
O1 - Hosts: 216.239.51.99 www.flixs.net
O1 - Hosts: 216.239.51.99 www.ishareit.net
O1 - Hosts: 216.239.51.99 www.ishareit.com
O1 - Hosts: 216.239.51.99 www.download-doctor.com
O1 - Hosts: 216.239.51.99 www.ezmp3download.com
O1 - Hosts: 216.239.51.99 www.kazaamedia.com
O1 - Hosts: 216.239.51.99 mp3-network.com
O1 - Hosts: 216.239.51.99 www.mp3-network.com
O1 - Hosts: 216.239.51.99 www.mp3grandcentral.net
O1 - Hosts: 216.239.51.99 www.mp333.com
O1 - Hosts: 216.239.51.99 www.kazaamate.com
O1 - Hosts: 216.239.51.99 www.kazaa-download.de
O1 - Hosts: 216.239.51.99 www.emule.biz
O1 - Hosts: 216.239.51.99 www.kazaam8.tk
O1 - Hosts: 216.239.51.99 www.rippro.com
O1 - Hosts: 216.239.51.99 www.kaaza.com
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKCU\..\Run: [sagnt] C:\WINDOWS\sagnt.exe

re-boot and you should be good to go.


----------



## $teve (Oct 9, 2001)

silentguy..hello again.

go to add/remove programs and delete "newdotnet"(new.net)

then post another log in a completely new thread......that way we dont get confused,when posts are classed as resolved some logfiles will get overlooked,best to post in your own thread


----------



## $teve (Oct 9, 2001)

chicagopanda....welcome to the board

check with hijackthis,then close all browser windows and "fix checked"

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;g3v6o6
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {B405EE45-1AA2-410D-A6CF-1A74371DCD62} - C:\WINDOWS\SYSTEM\HOTLINK.DLL__SpybotSDDisabled (file missing)
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sh...n/bin/cabsa.cab

no problems,just a little tidying.


----------



## $teve (Oct 9, 2001)

entendu1450.....also welcome to T.S.G

you have lots of BADDIES to delete......how on earth do you get your comp to run ill never know

in add/remove programs delete the "newdotnet"(new.net) entry.
then post another H/T logfile in a nice new thread like i asked silentguy to do.

thanx


----------



## ~Candy~ (Jan 27, 2001)

As mentioned above, anyone having a similar problem, please open your own thread, it's too difficult to assist groups at the same time


----------

