New User? Click here to register! Feel free to read this for beginners help.

Computer Cops
image image image image image image image image
Prime Choice
· Head Lines
· Dnld of the Week!
· Find a Cure!

· Ian T's (Article 12)
· Marcia's (Op9)
· Paul's (Article 3)

· Ian T's Archive
· Marcia's Archive
· Paul's Archive
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Security Central
· Home
· Wireless
· Bookmarks
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· Recommend Us
· RegChat
· Reviews
· Search
· Sections
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
Donations
image
Search

image
Survey
Which Anti-Virus product do you use?

Computer Associates
Eset (NOD32)
F-Secure
Frisk (F-Prot)
Grisoft (AVG)
Kaspersky
Network Associates (McAfee)
Panda
Sophos
Symantec (NAV)
Trend Micro
Other



Results
Polls

Votes: 9158
Comments: 85
image
Translate
English German French
Italian Portuguese Spanish
image
Hosted By
Computer Cops is a satisfied customer of [ JaguarPC ]
image
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin 

Please help, Incredifind problem, thanks

 
Post new topic   This topic is locked you cannot edit posts or make replies       Computer Cops Forum Index -> Spyware - HijackThis
View previous topic :: View next topic  
Author Message
wolv83
Cadet
Cadet



Joined: Mar 04, 2004
Posts: 4
Location: USA

PostPosted: Mon Mar 08, 2004 4:31 pm    Post subject: Please help, Incredifind problem, thanks Reply with quote

First my cd drive would open and I'd get a pop up ad for spyware removal, then my internet stopped working, kept trying to go to incredifind. I ran Adaware and HijackThis, here is my log;

Logfile of HijackThis v1.97.7
Scan saved at 8:22:42 PM, on 3/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\AT12EVXX.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\MSTASL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COMMON FILES\UPDATER\WUPDATER\.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\E_SICN03.EXE
C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HELPCTR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT FOLDER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://server224.smartbotpro.net/7search/?hkcu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://server224.smartbotpro.net/7Search/?002
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Search Assistant =http://server224.smartbotpro.net/7search/?003
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://server224.smartbotpro.net/7search/?hklm
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
02 - BHO: (No Name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
02 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
03 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
04 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
04 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
04 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
04 - HKLM\..\Run: [SystemTray] SysTray.Exe
04 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
04 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
04 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
04 - HKLM\..\Run: [EnsoniqMixer] starter.exe
04 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
04 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
04 - HKLM\..\Run: [LoadQM] loadqm.exe
04 - HKLM\..\Run: [Real Tray] C:\Program Files\Real\Real Player\realplay.exe
SYSTEMBOOTHIDPLAYER
04 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater/wupdater.exe
04 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll.LoadCurrentPwrScheme
04 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
04 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
04 – HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powerprof.dll,LoadCurrentPwrScheme
04 – HKLM\..\RunServices: [SchedulingAgent] mstask.exe
04 – HKLM\..\RunServices: [SSDPDRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
04 – HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
04 – HKCU\..\Run: [MoneyAgent] “C:\Program Files\Microsoft Money\System\Money
Express.exe”
04 – Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
04 – Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common
Files\Microsoft Shared\Works Shared\wkcalrem.exe
04 – Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image
Expert 2000\IXApplet.exe
04 – Startup: EPSON Status Monitor 3 Environment Check.lnk =
C:\WINDOWS\SYSTEM\E_SRCV03.EXE
04 – Startup: America Online 5.0 Tray Icon.lnk = C:\America Online
5.0\aoltray.exe
08 – Extra context menu item: &Define – C:\Program Files\Common Files\Microsoft
Shared\Reference 2001\A\ERS_DEF.HTM
08 – Extra context menu item: Look Up in &Encyclopedia – C:\Program Files\Common
Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
09 – Extra button: Encarta Encyclopedia (HKLM)
09 – Extra `Tools` menuitem: Encarta Encyclopedia (HKLM)
09 – Extra button: Define (HKLM)
09 – Extra `Tools` menuitem: Define (HKLM)
09 – Extra button: AIM (HKLM)
09 – Extra button: Messenger (HKLM)
09 – Extra `Tools` menuitem: MSN Messenger Service (HKLM)
09 – Extra button: Dell Home (HKCU)
010 – Broken Internet access because of LSP provider `c:\windows\system\lsp.dll`
missing
012 – Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
016 – DPF: {41F17733-B041-4099-A042-B518BB6A408C} –
http://a224.g.akamai.net/7/224/52/20010...501/us/win
/QuickTimeInstaller.exe
016 – DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) –
http://207.188.25.43/15eef8d6ddb85e743c22/netzip/RdxIE.cab
016 – DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) – http://download.macromedia.com/pub/shoc...wflash.cab
016 – DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) – http://216.249.25.152/code/PWActiveXImgCtl.CAB
016 – DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) – http://a840.g.akamai.net/7/840/5805/v15...ontrol.cab
016 – DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) –
http://v4.windowsupdate.microsoft.com/C...6421180556
Back to top
View users profile Send private message
Bulldog
Site Moderator
Site Moderator



Joined: Nov 16, 2003
Posts: 2824
Location: Canada

PostPosted: Wed Mar 10, 2004 2:27 am    Post subject: Reply with quote

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure
all browser and all Windows Explorer windows are closed before fixing.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://server224.smartbotpro.net/7search/?hkcu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://server224.smartbotpro.net/7Search/?002
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Search Assistant =http://server224.smartbotpro.net/7search/?003
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://server224.smartbotpro.net/7search/?hklm
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
02 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
04 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater/wupdater.exe
016 – DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) –
http://207.188.25.43/15eef8d6ddb85e743c22/netzip/RdxIE.cab

Reboot and delete:

C:\Program Files\Common files\updater <-- folder
C:\Program Files\IncrediFind <-- folder

You need to update IE to Version 6 SP1 as soon as possible or you will continue to be reinfected.

Also, if you haven't already...
Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
After installing AAW, and before running the program, FIRST update the reference file following these instructions.
http://www.lavahelp.com/howto/updref/index.html
Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."
Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:
Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"
Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.

and

Download Spybot - Search & Destroy
http://www.computercops.biz/downloads-file-108.html
Now press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
Reboot.

One final reboot and then post a new HJT log please.
.

_________________
Cheers
Back to top
View users profile Send private message
Bulldog
Site Moderator
Site Moderator



Joined: Nov 16, 2003
Posts: 2824
Location: Canada

PostPosted: Wed Mar 10, 2004 2:30 am    Post subject: Reply with quote

opps, I see you have run AdAware..

Update it and run it again anyway please.

Also..
Go to Add/remove programs and uninstall: ''ShopAtHomeSelect Agent'
And reboot when prompted.

(Only If not found in Add/Remove applet...., download: http://cexx.org/lspfix.htm
Tell it to 'Remove' lsp.dll and 'Keep' the rest. You have to check the box that says *I know what I am doing*)

_________________
Cheers
Back to top
View users profile Send private message
wolv83
Cadet
Cadet



Joined: Mar 04, 2004
Posts: 4
Location: USA

PostPosted: Sat Mar 13, 2004 1:17 pm    Post subject: new log Reply with quote

Thank you very much for responding, I really appreciate your efforts.
Here is my new log:

Logfile of HijackThis v1.97.7
Scan saved at 8:53:36 AM, on 3/13/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\E_SICN03.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: America Online 5.0 Tray Icon.lnk = C:\America Online 5.0\aoltray.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

Also, my modem still does not work. Can you help with that?
I ran "modem test" and this is what it said:

C:\WINDOWS\TEMP\ModemTest.txt 3/10/2004
[Registry Information]
Register : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Modem\00^ OK
Register : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\HCFMODEM^ OK
Register : HKEY_LOCAL_MACHINE\Enum\CXT\VEN_14F1^\WDM^ OK
[Modem Information]
Modem MDP3880-W(U) PCI Modem registered on the port : 3
Com Port = 3
Model = MDP3880-W(U) PCI Modem detected
[Port Information]
Error Access denied com : 3

I also get a window that says "a modem is used by another program please stop the program and restart modem test"

and the dial tone test says;

C:WINDOWS\TEMP\ModemTest.txt 3/9/2004
[Dialtone Information]
Dialtone Test modem--> MD3880-W(U) PCI Modem
Error---> No Dialtone dectected

the jack is fine because I plugged a phone into it.

Thanks again for you help
Back to top
View users profile Send private message
Bulldog
Site Moderator
Site Moderator



Joined: Nov 16, 2003
Posts: 2824
Location: Canada

PostPosted: Sat Mar 13, 2004 1:21 pm    Post subject: Reply with quote

Log looks good now.

Download this Winsock2 fix: http://digital-solutions.co.uk/lavasoft/whndnfix.zip

Unzip and run it.
It does a fine job restoring internet connectivity caused by a corrupted LSP stack on Win 98 and ME systems.

_________________
Cheers
Back to top
View users profile Send private message
wolv83
Cadet
Cadet



Joined: Mar 04, 2004
Posts: 4
Location: USA

PostPosted: Mon Mar 15, 2004 1:04 pm    Post subject: Back in business!!! Reply with quote

Again, Thank you very much, I'm back in business, very happy. I had to delete my modem and reinstall. Also updated IE and McAfee and installed a firewall.
Cheers to you also.
Back to top
View users profile Send private message
Bulldog
Site Moderator
Site Moderator



Joined: Nov 16, 2003
Posts: 2824
Location: Canada

PostPosted: Mon Mar 15, 2004 1:19 pm    Post subject: Reply with quote

Glad we were able to help!

Have a read here:
So how did I get infected in the first place?

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Anyone else having a similar issue, please launch a new topic for yourselves.
/

_________________
Cheers
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   This topic is locked you cannot edit posts or make replies       Computer Cops Forum Index -> Spyware - HijackThis All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB 2.0.8 © 2001 phpBB Group

Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops