Newbie
Hello,
Let me start by saying I appreciate yor help and advice. I know that many of you volunteer your time to help novices like me - I really appreciate that. I have installed and ran both Ad Aware SE and Spybot Search and Destroy as advised in the posting a "Hijack This" thread.
When I go to my Add/Remove programs I see a program called Shopping Wizard that I cannot seem to uninstall. When I click the uninstall button I receive the following error: unable to open http://looking-for.cc/uninstall/ShoppingWizard.html.
Pop-ups are happening while browsing and my home page has been hijacked. When I open my browser, I am directed to a page called about:blank. I cannot change my default and several links have been added to my favorites list including a folder called "Sites About".
Here is my HJT Log:
Logfile of HijackThis v1.99.0
Scan saved at 11:42:22 PM, on 2/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\apizj.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\mslw32.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.ex e
C:\Program Files\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnucs.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnucs.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hnucs.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnucs.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnucs.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hnucs.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hcrmc-online/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3486A396-7595-B288-69FC-2B5649058C5B} - C:\WINDOWS\system32\javapq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mslw32.exe] C:\WINDOWS\mslw32.exe
O4 - HKLM\..\RunOnce: [apizj.exe] C:\WINDOWS\system32\apizj.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealSecure Desktop Protector.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hcrmc-online
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A12E5D0-09DD-49DC-BFD7-084ABD495684}: NameServer = 172.16.202.11,172.16.202.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{B36EE694-203C-4EA8-BE64-927BA3D25C36}: Domain = hcr-manorcare.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B36EE694-203C-4EA8-BE64-927BA3D25C36}: NameServer = 172.16.131.76
O23 - Service: Access Manager Configuration Service - Unknown - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Contivity VPN Service - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: StartupScript - Unknown - C:\WINDOWS\system32\srvany.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe (file missing)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\msny32.exe (file missing)
I apologize if I was too descriptive with my issue, but I wanted to give as much background as possible to reach my goal - getting rid of this thing!!
Any help would be appreciated in removing this unwanted program from my system!! Once again, thank you in advance.
Matt Kosty
Last edited by MKOSTY; 16-02-2005 at 05:45 AM. Reason: Title Correction
D-A-L Team Member (UK)
Hello,
Please could you download and unzip About:Buster from AboutBuster. Leave it for now, we'll use it later. Also download and install Ad-aware from here.
Once you have installed Ad-aware, run the program and in the bottom right hand corner click Check For Updates. Update Ad-aware following the prompts and then close the program, we will use it later.
Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders beforehand.
Go to Start> Run and type services.msc.
Locate Workstation NetLogon Service. Double click it and click the Stop button in the Properties window. Select Disabled from the drop down menu next to Startup Type. Click Ok and exit Services.
Press Ctrl+Alt+Del to get into Task Manager. Once in Task Manager, end the following processes (if they exist):
msny32.exe
Restart Hijack This and put a checkmark next to these entries and click Fix Checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnucs.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnucs.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hnucs.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnucs.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnucs.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hnucs.dll/sp.html#12345
O2 - BHO: (no name) - {3486A396-7595-B288-69FC-2B5649058C5B} - C:\WINDOWS\system32\javapq.dll
O4 - HKLM\..\Run: [mslw32.exe] C:\WINDOWS\mslw32.exe
O4 - HKLM\..\RunOnce: [apizj.exe] C:\WINDOWS\system32\apizj.exe
O23 - Service: StartupScript - Unknown - C:\WINDOWS\system32\srvany.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe (file missing)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\msny32.exe (file missing)
Delete the following files and folders:
C:\WINDOWS\system32\javapq.dll
C:\WINDOWS\mslw32.exe
C:\WINDOWS\system32\apizj.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\msny32.exe
Now run the file aboutbuster.exe that we downloaded earlier. When the tool is open press the Ok button, then the Start button, then the Ok button, and then finally the Yes button. If it asks if you would like to do a second pass, allow it to do so.When finished, press the "Save log" button. I will want a copy of that log after all steps are completed here.
Copy the contents of this quote box to Notepad:
Click File> Save As. Click the drop down arrow next to Save as type: and select all files. In the filename box type fix.reg. Save it to a convenient location. Once saved, double click it and confirm that you want it to merge with the registry.REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SW]
Now Start Ad-aware
We need to configure Ad-aware for a full scan.
Click on the Gear icon (second from the left) to access the preferences/settings window
1. In the General window make sure the following are selected:2. Click on the Scanning button on the left and select :
- Automatically save log-file
- Automatically quarantine objects prior to removal
- Safe Mode (always request confirmation)
- Scan Within Archives
- Scan Active Processes
- Scan Registry
- Deep Scan Registry
- Scan my IE favorites for banned URL’s
- Scan my Hosts file
- Under Click here to select drives + folders, choose:
- All of your hard drives
- Include additional process information
- Include additional file information
- Include environment information
- Under the Scanning Engine:
- Unload recognized processes & modules during scan
- Include additional Ad-aware settings in logfile
- Under the Cleaning Engine:
- Let Windows remove files in use at next reboot
- Use Custom Scanning Options
Then go to Start> Run and type cleanmgr.
Put a checkmark next to:
Temporary Files
Temporary Internet Files
Recycle Bin
Click Ok
Reboot into Normal Mode.
Note: Two, possibly three files may have been deleted from your computer by the hijacker and may need to be replaced:
Control.exe. If control.exe is missing go to merijn and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
hosts (with no extension). Download the Hoster. Press "Restore Original Hosts" and press "OK". Exit Program. Note: if you were using a custom Hosts file you will need to replace any of those entries yourself
SDHelper.dll (if you are using Spybot Search & Destroy). If you have Spybot S&D installed and SDHelper.dll is missing, replace it with this one. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow all ActiveX. In IE, click Tools> Internet Options and then click the Security tab. Click on Custom Level and make sure that the following settings are correct:
Download signed ActiveX controls (Prompt)
Download unsigned ActiveX controls (Disable)
Initialize and script ActiveX controls not marked as safe (Disable)
Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
Script ActiveX controls marked safe for scripting (Prompt)
Pay a visit to http://housecall.trendmicro.com and let it scan for and remove any viruses, worms or trojans you may have.
Then post a fresh Hijack This log and your About:Buster log here.
Newbie
Hi Owen,
Thank you for your prompt reply. I followed the steps, but I beleive the proram has morphed. Here is my About:Buster and my HJT log.
Scanned at: 10:34:42 PM on: 2/16/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23
No ADS found on system
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23
No ADS found on system
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
Scanned at: 8:33:31 PM on: 2/17/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23
No ADS found on system
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23
No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
Logfile of HijackThis v1.99.0
Scan saved at 9:03:59 PM, on 2/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AccessManager\SMOC\spi_da.exe
C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.ex e
C:\PROGRA~1\ACCESS~1\SMOC\sp_smoc.exe
C:\PROGRA~1\ACCESS~1\SMOC\spi_stat.exe
C:\WINDOWS\atlvc32.exe
C:\WINDOWS\system32\ntoy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zebwf.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zebwf.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zebwf.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zebwf.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zebwf.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zebwf.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hcrmc-online/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {EE08D6DF-BFF6-7070-4C87-02CDA5E646F6} - C:\WINDOWS\sdkyq32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ntoy.exe] C:\WINDOWS\system32\ntoy.exe
O4 - HKLM\..\RunOnce: [atlvc32.exe] C:\WINDOWS\atlvc32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealSecure Desktop Protector.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hcrmc-online
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A12E5D0-09DD-49DC-BFD7-084ABD495684}: NameServer = 172.16.202.11,172.16.202.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{B36EE694-203C-4EA8-BE64-927BA3D25C36}: Domain = hcr-manorcare.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B36EE694-203C-4EA8-BE64-927BA3D25C36}: NameServer = 172.16.131.76
O23 - Service: Access Manager Configuration Service - Unknown - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Contivity VPN Service - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\msny32.exe (file missing)
Thanks for your assistance.
Matt Kosty
D-A-L Team Member (UK)
You are correct, it has indeed morphed. Can you post a fresh log using the latest Hijack This version from the link in my signature.
Newbie
Sorry it has taken me sooo long to reply - I was away for a few days. Here is a fresh HJT log. Man - this bug is tricky. Owen - thanks for your help! I can't tell you how much I appreciate it.
Logfile of HijackThis v1.99.0
Scan saved at 7:51:53 PM, on 2/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\atlvc32.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ntoy.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.ex e
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\irjbp.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\irjbp.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\irjbp.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\irjbp.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\irjbp.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\irjbp.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hcrmc-online/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15F4A47C-8C2A-AC97-FF19-354878EF18EC} - C:\WINDOWS\appvm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ntoy.exe] C:\WINDOWS\system32\ntoy.exe
O4 - HKLM\..\RunOnce: [atlvc32.exe] C:\WINDOWS\atlvc32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealSecure Desktop Protector.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hcrmc-online
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A12E5D0-09DD-49DC-BFD7-084ABD495684}: NameServer = 172.16.202.11,172.16.202.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{B36EE694-203C-4EA8-BE64-927BA3D25C36}: Domain = hcr-manorcare.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B36EE694-203C-4EA8-BE64-927BA3D25C36}: NameServer = 172.16.131.76
O23 - Service: Access Manager Configuration Service - Unknown - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Contivity VPN Service - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\msny32.exe (file missing)
Thanks Owen
Matt
D-A-L Team Member (UK)
Its not that tricky an infection, but if there is too much of a gap between me giving you the fix and it being posted and you applying the fix, it won't work.
Download the latest version of HJT from my signature and then post a fresh log.
