Hijack This log assistance

[EGM]

Hello people, I'm EGM, and have my own PC at home perfectly clear, so I can't stand my GF's PC being Spyware infested to the bone...

Here's what I've tried:

• Ran Ad-Aware (updated)
• Ran Spybot S&D (updated)
• Ran Hijack This and tried to get the bad things out when I reconziged them
• Ran Hitman Pro (I'm quite sure you know this program)
• Looked at the taskmanager to see some weird stuff
• Ran the newest CWSshredder

It's to no affail, cause it keeps comming back.. especially this.. this toolbar is pretty annoying since you can't disable it, the "close button" is a link button and the whole bar decreases your desktop space and IE (yes, I know, tried to convince them) is pretty hard to see the bottom lines of a page.

As far as I can see, I've done everything I can do, cept for booting in safemode and letting Hitman pro (and everything else) but I'm affraid it'll take an age...

Here's the complete Hijack this log..

Thanks for the help, tell me what I can should/must do...........

UPDATE: Here's the Taskmanager from a freshboot

Logfile of HijackThis v1.98.2
Logfile of HijackThis v1.99.0
Scan saved at 18:20:52, on 17-2-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\12Ghosts\12popup.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Geertsema\Bureaublad\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\GEERTS~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\GEERTS~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {376FA3AE-2CCF-4CE7-92E1-A2E6C41700D2} - C:\WINDOWS\system32\mpkoaaa.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Pile Option Does Dart] C:\Documents and Settings\All Users\Application Data\hope download pile option\web file.exe
O4 - HKLM\..\Run: [pkd] C:\WINDOWS\pkd.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} (VacPro.olanda_ver3) - http://advnt01.com/dialer/olanda_ver3.CAB
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://edapp01.saxion.nl/qp2.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://ebmsg02.saxion.nl/iNotes.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Filter: text/html - {B15E7322-D066-4CCA-925B-7696DEFD9AFA} - C:\WINDOWS\system32\mpkoaaa.dll
O18 - Filter: text/plain - {B15E7322-D066-4CCA-925B-7696DEFD9AFA} - C:\WINDOWS\system32\mpkoaaa.dll
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[Roshi229]

Welcome to TF.
I see that you have an out dated version of HijackThis. please visit www.kbdigisol.com for the newes version, repost a fresh log and someone will be with you shortly.
thanks
~KB

 

[southernlady]

EGM, I'm going to go ahead and analyze what I have of your log while I wait for you to post your new one. I prefer you post them here tho, ok? All you need to do is copy and paste it here. Liz

 

[EGM]

Yes Sir and Mam'

I will get the newest Hijack this version on my GF's PC asap, I'll update and bump my post, don't worry about analyzing this one if you feel it's for no use...

Thanks for the help anyway, sorry for my ignorance,

Cheers,
EGM

btw. You're doin' a great job here, is there anyway I can help you guys cept for sticking around and answering to question that I know about?

 

[EGM]

BUMP, I updated the stuff

Thanks again in advance!

 

[southernlady]

EGM, I got started on your log and then my motherboard died...had to replace it with one I had in another computer...which meant REFORMATTING!!! Lost everything on one hard drive cause I wasn't prepared. Thank goodness, I'm paranoid as all hell and back up my stuff on a second hard drive so nothing serious was lost except some bookmarks. In the meantime I had major downtime! But I have a copy of what I found so it won't take me long to get your log read, LOL...like I told you, I put stuff on back ups! Liz

 

[southernlady]

You are currently using HijackThis from a temporary directory, this can cause problems. HijackThis creates backups, these are needed in case of any recovery issues.
Please create a directory on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that directory from now on.

STEPS For Creating Folder
1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.

2. Download HijackThis to the new folder:

3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.

First Click http://forums.techguy.org/attachment.php?attachmentid=44318 to download cwsserviceremove.zip and unzip it to your desktop and have it ready to run later.

Click CWShredder to download CWShredder. Do Not run it yet. Download it to the desktop and have it ready to run later.

Click About Buster 4.0 to download AboutBuster created by Rubber Ducky.

Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.

Now go ahead and set your computer to Show hidden files & folders like so:

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Workstation NetLogon Service.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Restart to Safe Mode.

How to start your computer in http://www.spyware911.net/safemode.htm


Perform the following steps in safe mode:

Double click on the cwsserviceemove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.

Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

Put a check by these entries in Hijack This and click the "Fix Checked" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\GEERTS~1\LOCALS~1\Temp\se.dll/sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\GEERTS~1\LOCALS~1\Temp\se.dll/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = ;localhost;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: (no name) - {88B5E8F3-8F2D-4F98-9F30-80598D837CD2} - C:\WINDOWS\system32\mpkoaaa.dll

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [Pile Option Does Dart] C:\Documents and Settings\All Users\Application Data\hope download pile option\web file.exe

O4 - HKLM\..\Run: [pkd] C:\WINDOWS\pkd.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} (VacPro.olanda_ver3) - http://advnt01.com/dialer/olanda_ver3.CAB

O18 - Filter: text/html - {B15E7322-D066-4CCA-925B-7696DEFD9AFA} - C:\WINDOWS\system32\mpkoaaa.dll

O18 - Filter: text/plain - {B15E7322-D066-4CCA-925B-7696DEFD9AFA} - C:\WINDOWS\system32\mpkoaaa.dll

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Administrator (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

Boot out of safe mode back into Windows normally now.

Download DelDomains.inf from here:

Rightclick DelDomains.inf and choose install.

Click LspFix to download LspFix

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of osmim.dll (and nothing else) , and move them to the "Remove" pane.
Then click Finish.


Turn off System Restore: Disable System Restore

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.


Go Trend Micro - Free online virus Scan and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster.zip . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file.
Go SDHelper.dll and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder.
Find shell.dll and right click on it. Choose Copy from the menu.
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.

control.exe may have been deleted.
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go http://www.spywareinfo.com/~merijn/winfiles.html, and download control.exe per the instructions at the site.

IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.

When you are sure you are clean turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

Reboot,

Empty the Recycle Bin,


And go get the newest HiJack This log. You need to go to here: HijackThis and download version 1.99.1, please.

Then post another log. Liz

 

[EGM]

:O that's something very big
Thanks for the help, I'll do it when I get to my GF again