Trojan horse Downloader.Small.18.T & annoying search box/warning sign on desktop

**barnettgs** · 18-05-2005

Hi, I'm new here. I have been scanned my cousin's pc with Adware, Search & Destory and AVG 7 (full scan) on safemode.

No luck so I decided to have a look and found this forum & download Hijack & ran it, following instruction from similar problem thread:

http://www.d-a-l.com/help/archive/in...p/t-16032.html

Somehow it is bit different from my cousin's pc and I can't right-click on desktop as there is annoying site/advertising saying 'WARNING, THIS IS DANGER' plus pop up isearch box on the right/bottom corner.

So I have attached a log file below for you to see what it is. I have tried reinstalling Windows XP, no luck.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 14:28:45, on 18/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\dx3adm.exe
c:\windows\system32\qmwipot.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\m?config.exe
C:\WINDOWS\System32\win32.exe
C:\Documents and Settings\william\Application Data\sccp.exe
C:\WINDOWS\System32\dllstat.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\BT Yahoo!\Help\bin\mpbtn.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Documents and Settings\william\My Documents\HijackThis.exe
C:\WINDOWS\System32\wpabaln.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hsncnfkeol.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.karasxxx.com/guests/clean...it.shtml?camco
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0. dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {41CA8322-B860-424A-920F-3198AEA26CC1} - C:\WINDOWS\System32\mja.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0. dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [47FP3tQ] dx3adm.exe
O4 - HKLM\..\Run: [hngfap] c:\windows\system32\qmwipot.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Pldo] C:\Documents and Settings\william\Application Data\othi.exe
O4 - HKCU\..\Run: [Puwa] C:\WINDOWS\System32\m?config.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [LwwFRjc5V] dllstat.exe
O4 - HKCU\..\Run: [Sbg] C:\WINDOWS\Ogl.exe
O4 - HKCU\..\Run: [Vsh] C:\WINDOWS\System32\Lrp.exe
O4 - HKCU\..\Run: [Mnc] C:\WINDOWS\System32\Njl.exe
O4 - HKCU\..\Run: [Voj] C:\WINDOWS\Vpr.exe
O4 - HKCU\..\Run: [Vkj] C:\WINDOWS\Vvv.exe
O4 - HKCU\..\Run: [Cmf] C:\WINDOWS\Vbm.exe
O4 - HKCU\..\Run: [Wmnc] C:\Documents and Settings\william\Application Data\sccp.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo!\Help\bin\matcli.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {7F5F0116-FC51-4284-97AE-ABB4EF07A871} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7F5F0116-FC51-4284-97AE-ABB4EF07A871} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O18 - Filter: text/plain - {26A4F881-FB48-4812-B6B3-523763F49BFA} - C:\WINDOWS\System32\mja.dll
O21 - SSODL: System - {F04C4899-43A3-48F5-9B3C-9825F8F19C85} - ssvmc.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

**HJThis** · 18-05-2005

Hello,barnettgs & Welcome

1)Go for free online Virus scans here:

http://housecall.trendmicro.com/hou.../start_corp.asp
http://www.pandasoftware.com/activescan/

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

2)Download CW-Shredder at the link below:
http://cwshredder.net/bin/CWShredder.exe

Download SpSeHjfix here:
http://www.derbilk.de/SpSeHjfix112.zip
Save it to the desktop and then right click a blank part of desktop & select new folder, call it spfix. Unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the CWShredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

HGD

**barnettgs** · 19-05-2005

OK, it is not connected to internet as I have it in other room. Have been running AVG with full scan yesterday which took over an hour or so to scan and only found one, something like C:\Windows\... Can't not remember the name of file.

I have run hjfix but found no infection as well as for CWShredder today.

But CWShredder found a couple of one and it had deleted both yesterday.

So here's the log files:

Thanks

(5/19/05 10:26:17) SPSeHjFix started v1.1.2
(5/19/05 10:26:17) OS: WinXP Service Pack 1 (5.1.2600)
(5/19/05 10:26:17) Language: english
(5/19/05 10:26:17) Win-Path: C:\WINDOWS
(5/19/05 10:26:17) System-Path: C:\WINDOWS\System32
(5/19/05 10:26:17) Temp-Path: C:\DOCUME~1\william\LOCALS~1\Temp\
(5/19/05 10:26:19) Disinfection started
(5/19/05 10:26:19) Bad-Dll(IEP): (not found)
(5/19/05 10:26:19) Bad-Dll(IEP) in BHO: (not found)
(5/19/05 10:26:19) UBF: 4 - UBB: 3 - UBR: 21
(5/19/05 10:26:19) UBF: 4 - UBB: 3 - UBR: 21
(5/19/05 10:26:19) Bad IE-pages: (none)
(5/19/05 10:26:19) Stealth-String not found
(5/19/05 10:26:19) Not infected->END

Logfile of HijackThis v1.99.1
Scan saved at 10:30:11, on 19/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\dx3adm.exe
C:\Apps\ActivBoard\TrayMon.exe
c:\windows\system32\pbowem.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\william\Application Data\sccp.exe
C:\WINDOWS\System32\m?config.exe
C:\WINDOWS\System32\win32.exe
C:\WINDOWS\System32\dllstat.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
C:\Program Files\BT Yahoo!\Help\bin\mpbtn.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Documents and Settings\william\Desktop\spfix\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hsncnfkeol.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.karasxxx.com/guests/clean...it.shtml?camco
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0. dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0. dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [47FP3tQ] dx3adm.exe
O4 - HKLM\..\Run: [eqfyslc] c:\windows\system32\pbowem.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Pldo] C:\Documents and Settings\william\Application Data\othi.exe
O4 - HKCU\..\Run: [Puwa] C:\WINDOWS\System32\m?config.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [LwwFRjc5V] dllstat.exe
O4 - HKCU\..\Run: [Sbg] C:\WINDOWS\Ogl.exe
O4 - HKCU\..\Run: [Vsh] C:\WINDOWS\System32\Lrp.exe
O4 - HKCU\..\Run: [Mnc] C:\WINDOWS\System32\Njl.exe
O4 - HKCU\..\Run: [Voj] C:\WINDOWS\Vpr.exe
O4 - HKCU\..\Run: [Vkj] C:\WINDOWS\Vvv.exe
O4 - HKCU\..\Run: [Cmf] C:\WINDOWS\Vbm.exe
O4 - HKCU\..\Run: [Wmnc] C:\Documents and Settings\william\Application Data\sccp.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo!\Help\bin\matcli.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {7F5F0116-FC51-4284-97AE-ABB4EF07A871} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7F5F0116-FC51-4284-97AE-ABB4EF07A871} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

**HJThis** · 19-05-2005

Hi,barnettgs

First move HijackThis from your Desktop to a folder on C:\Drive like so C:\HJT

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

CxtPls

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
m?config.exe<---NOTE it's this file not this one msconfig
win32.exe
dllstat.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hsncnfkeol.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.karasxxx.com/guests/clea...xit.shtml?camco

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll

O4 - HKLM\..\Run: [47FP3tQ] dx3adm.exe
O4 - HKLM\..\Run: [eqfyslc] c:\windows\system32\pbowem.exe
O4 - HKCU\..\Run: [Puwa] C:\WINDOWS\System32\m?config.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [LwwFRjc5V] dllstat.exe
O4 - HKCU\..\Run: [Sbg] C:\WINDOWS\Ogl.exe
O4 - HKCU\..\Run: [Vsh] C:\WINDOWS\System32\Lrp.exe
O4 - HKCU\..\Run: [Mnc] C:\WINDOWS\System32\Njl.exe
O4 - HKCU\..\Run: [Voj] C:\WINDOWS\Vpr.exe
O4 - HKCU\..\Run: [Vkj] C:\WINDOWS\Vvv.exe
O4 - HKCU\..\Run: [Cmf] C:\WINDOWS\Vbm.exe

This item here is it something you installed if no fix it anyone know
O4 - HKCU\..\Run: [Wmnc] C:\Documents and Settings\william\Application Data\sccp.exe

O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)

These 2 here are they your ISP????
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:
C:\Program Files\CxtPls\<---This folder if you uninstall as said above
C:\WINDOWS\svcproc.exe<---This file
c:\windows\system32\pbowem.exe[/B]<---This file
C:\WINDOWS\System32\m?config.exe[/B] NOTE<---This file not this---> msconfig
C:\WINDOWS\System32\win32.exe[/B]<---This file
C:\WINDOWS\Ogl.exe[/B]<---This file
C:\WINDOWS\System32\Lrp.exe<---This file
C:\WINDOWS\System32\Njl.exe<---This file
C:\WINDOWS\Vpr.exe<---This file
C:\WINDOWS\Vvv.exe<---This file
C:\WINDOWS\Vbm.exe<---This file

Still in Safe Mode do a file Search for these files if found delete them
dx3adm.exe
dllstat.exe

Then reboot till us how it is doing & again do this

Go for free online Virus scans here:

http://housecall.trendmicro.com/hou.../start_corp.asp
http://www.pandasoftware.com/activescan/

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

HGD

**barnettgs** · 19-05-2005

Thanks, they seemed to have removed but annoying desktop still there:

See the screenshot:

Desktop

Also after Windows login, just before desktop screen comes up, a pop up window like this:

Windows cannot load the user's profile but has logged you on with the default profile for the system.

DETAIL - The system has attempted to load or restore a file into the registry, but the specified file is not in a registry file format.

(5/19/05 13:09:33) SPSeHjFix started v1.1.2
(5/19/05 13:09:33) OS: WinXP Service Pack 1 (5.1.2600)
(5/19/05 13:09:33) Language: english
(5/19/05 13:09:33) Win-Path: C:\WINDOWS
(5/19/05 13:09:33) System-Path: C:\WINDOWS\System32
(5/19/05 13:09:33) Temp-Path: C:\DOCUME~1\william\LOCALS~1\Temp\
(5/19/05 13:09:35) Disinfection started
(5/19/05 13:09:35) Bad-Dll(IEP): (not found)
(5/19/05 13:09:35) Bad-Dll(IEP) in BHO: (not found)
(5/19/05 13:09:35) UBF: 4 - UBB: 2 - UBR: 8
(5/19/05 13:09:35) UBF: 4 - UBB: 2 - UBR: 8
(5/19/05 13:09:35) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(5/19/05 13:09:35) Stealth-String not found
(5/19/05 13:09:35) Not infected->END

Logfile of HijackThis v1.99.1
Scan saved at 13:10:04, on 19/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Apps\ActivBoard\MMKeybd.exe
c:\windows\system32\zgdfdc.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\BT Yahoo!\Help\bin\mpbtn.exe
C:\WINDOWS\System32\wpabaln.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0. dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0. dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [pyhhbjs] c:\windows\system32\zgdfdc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo!\Help\bin\matcli.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {7F5F0116-FC51-4284-97AE-ABB4EF07A871} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7F5F0116-FC51-4284-97AE-ABB4EF07A871} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

What else am I missing? Thanks again

**HJThis** · 19-05-2005

Hi,barnettgs

Ok do this here delete this file then do the Desktop

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
zgdfdc.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [pyhhbjs] c:\windows\system32\zgdfdc.exe

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:
c:\windows\system32\zgdfdc.exe<---This file

Now do this here

Click "Start", "Settings", and then click "Control Panel". Open the "Display" applet.
Click on "Desktop", "Customise Display..." and "Web".
In the box under "Web pages" look for a checkbox named "Security". If found select it and click "Delete".

HGD

**barnettgs** · 19-05-2005

Right, thats a tough one. Every time I deleted a virus file in system32 folder also deleted it in Hijack as well, it kept coming back with different file name on Hijack after each reboot!

**HJThis** · 19-05-2005

Hey,barnettgs

Please have a look in here for me till me if you see this here

C:\Documents and Settings\Current User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat<---This is what i'm looking for

HGD

**barnettgs** · 19-05-2005

Yes, it is there...there are two UsrClass files with exactly same filename, one of them is UsrClass.dat

Cheers

**HJThis** · 19-05-2005

Hi,barnettgs

Now here is what i need you to do

1)First make sure that file is from the login that is giving you the
error & no other

2)go back there look for that file UsrClass.dat
& move it to where you can get to it if we need to

3)Now i need you to log back in see if this helps with the error

again move that file from the error login & no other

& are you the Admins of the puter

HGD

Trojan horse Downloader.Small.18.T & annoying search box/warning sign on desktop

Trojan horse Downloader.Small.18.T & annoying search box/warning sign on desktop

Similar Threads

Trojan horse Dropper Small.22.BO

trojan horse downloader.small.44BW

need help with small.18.T trojan horse

Trojan Horse Downloader

Trojan Horse Downloader