[FIXED]the problem is getting worse can't anyone help.

Mahsoggies · Sergeant Joined: Dec 29, 2003 Posts: 81 Location: USA

I have been having this problem for about 2 weeks now and i cant seem to get it fixed. I ahve been running Adaware-6, Spybot Search and Destroy, CWShreddar, and HighJack This. I still have several executable files running in my task manager and when i close them they just re-open and double themselves. Can some one please help me before i redo my computer from frustration.

Thank you,
Josh

Here is my HJack Log and i will show you the weird .exe that i know are not supposed to be there but i am not sure of how to get rid of them.

"The list of .exe's":
C:\WINDOWS\System32\EamIaZ3.exe
C:\WINDOWS\System32\EamIaZ3.exe
and there was this weird one like ma20 or something like that there are different ones each time i restart it seems. Anyways here is the log.

Logfile of HijackThis v1.97.7
Scan saved at 1:58:10 PM, on 5/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\EamIaZ3.exe
C:\WINDOWS\System32\EamIaZ3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [3P7CT@G2QQ@RYT] C:\WINDOWS\System32\Uai05I5Y.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mymathtest.com/bin/TestGenXInstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003...scan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab

Mahsoggies · Sergeant Joined: Dec 29, 2003 Posts: 81 Location: USA

See here it just keeps changing and changing without me doing a thing. Sad

I now have this stupid 180search.

Please help,
Josh

Logfile of HijackThis v1.97.7
Scan saved at 3:45:29 PM, on 5/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NyffP78l.exe
C:\WINDOWS\System32\Msoif95f.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\ClockSync\Sync.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [3P7CT@G2QQ@RYT] C:\WINDOWS\System32\Uai05I5Y.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [oner] C:\WINDOWS\oner.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
O4 - HKCU\..\RunOnce: [DeleteISTbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\ISTbar\istbar.dll"
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mymathtest.com/bin/TestGenXInstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003...scan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab

Mahsoggies · Sergeant Joined: Dec 29, 2003 Posts: 81 Location: USA

Here is the third HighJack log i have ran today.
It seems the problem is escalating. Can't anybody help me?

Thank you,
Josh

Logfile of HijackThis v1.97.7
Scan saved at 12:10:36 AM, on 5/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\oner.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CAPDPSRV.EXE
C:\Program Files\Internet Optimizer\optimize.exe
C:\program files\180solutions\msbb.exe
C:\WINDOWS\System32\VyqFLv.exe
C:\WINDOWS\System32\Msoif95f.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [3P7CT@G2QQ@RYT] C:\WINDOWS\System32\SehMe.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [oner] C:\WINDOWS\oner.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CAPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CAPDPSRV.EXE
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKCU\..\Run: [iedkcs32] C:\WINDOWS\system32\iedkcs32.exe
O4 - HKCU\..\Run: [vmmreg32] C:\WINDOWS\vmmreg32.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mymathtest.com/bin/TestGenXInstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003...scan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab

Mosaic1 · Posted: Mon May 31, 2004 2:13 am Post subject:

Please right click on this file and choose send to >Compressed.
C:\WINDOWS\system32\iedkcs32.exe

Email it to me as an attachment so it can be analyzed. It may be a new nasty.

MY email is
Katie_3232 @hotmail.com

I have added an extra space to the address. Remove it and the email will work. Thanks.

Get some security before you continue:
Here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html

You have the Peper Ad Trojan.
Go here and download the fix and then run it.
http://members.shaw.ca/techcd/VB_Projects/PeperFix.exe
----------

Close All Internet Explorer and Windows Explorer Windows. Select these items in Hijackthis and Press the fix checked button:

O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [oner] C:\WINDOWS\oner.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKCU\..\Run: [iedkcs32] C:\WINDOWS\system32\iedkcs32.exe
O4 - HKCU\..\Run: [vmmreg32] C:\WINDOWS\vmmreg32.exe

Restart.

Uninstall Internet Optimizer in Control Panel >Add Remove Programs.

Delete these folders:
C:\Program Files\ISTsvc
C:\Program Files\Internet Optimizer
c:\program files\180solutions
C:\Program Files\Power Scan

Delete these files:
C:\WINDOWS\oner.exe
C:\WINDOWS\system32\iedkcs32.exe
C:\WINDOWS\vmmreg32.exe
-------------------------
Update and run Ad-Aware and Spybot Search and Destroy .

Go for free online Virus scans here:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/

Allow them to clean

Run Hijacktnis and post your new log.

Mahsoggies · Sergeant Joined: Dec 29, 2003 Posts: 81 Location: USA

Okay i did everything that you said. That Panda Scan took a year to complete but it found nothing and the first scan found 11 that it could not clean. Here is my new highjack log i am not sure if it is through or what.
Oh yeah andhow do i get the latest javavm that Tony was talking about?
Thank you,
Josh

these look weird to me.

O4 - HKLM\..\Run: [3P7CT@G2QQ@RYT] C:\WINDOWS\System32\SehMe.exe

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [CAPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CAPDPSRV.EXE

Logfile of HijackThis v1.97.7
Scan saved at 2:57:23 PM, on 5/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CAPDPSRV.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [3P7CT@G2QQ@RYT] C:\WINDOWS\System32\SehMe.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CAPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CAPDPSRV.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mymathtest.com/bin/TestGenXInstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003...scan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab

tchicken · Private Joined: May 26, 2004 Posts: 40 Location: USA

Get autoruns. http://www.sysinternals.com/files/autoruns.zip

You'll find this will be useful in catching morphers. Under:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
You will catch the dll's. This will also let you jump to the registry key that is associated with the morpher.

Try this out.

Mahsoggies · Sergeant Joined: Dec 29, 2003 Posts: 81 Location: USA

Thanks I will try it and see.

Josh

Mosaic1 · Posted: Mon May 31, 2004 9:46 pm Post subject:

That other advice you were given by tchicken was referencing the possibiliy of your having the L2M pest. We use a different utility to discover that. I see no sign that you do have L2M. But if you want to have a look we can.

Download VX2Finder from this link:
http://tools.zerosrealm.com/VX2Finder.exe

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.
-------------

This is a Peper Trojan leftover. You can fix it. The trojan is now gone.
O4 - HKLM\..\Run: [3P7CT@G2QQ@RYT] C:\WINDOWS\System32\SehMe.exe

--------------
Where were these uncleanable files found? In System Restore? If so, we can and should flush the restore points to remove them. Let me know.

Mosaic1 · Posted: Mon May 31, 2004 10:26 pm Post subject:

Go to Windows Update and scan. It will include the lateset Virtual Machine if you do not have it already. You have SP1 and may already have it.

To find out what you do have installed go to Start>Run and type cmd
press enter to bring up a command prompt

In the command prompt window type
jview and press enter.

The first line of the results will include the java version.

Mahsoggies · Sergeant Joined: Dec 29, 2003 Posts: 81 Location: USA

Hey Mosaic,
Thank you for all your help. I tried the VX2finder, and it wouldn't let me make a log, i guess cause it is clean. I really don't remeber where the uncleanable files where though. And the jveiw would not work. It said the file not found. o well i believe i have the latest version.

Do you see that message? i got in trouble for making to many post, I can see his point though. I was looking sort of desparate for help.

Thank you very much,
Josh

Mosaic1 · Posted: Wed Jun 02, 2004 12:30 am Post subject:

VX2 should allow a log no matter. What happened when you pressed Make log?

Here's mine, after it opened in notepad.
Log for VX2.BetterInternet File Finder

Files Found---

Guardian Key--- is called:

User Agent String---
--------------

You do not seem to have the MS Virtual Machine at all.

Are you running Sp1 or Sp1a?

SP1a has no VM included.

We can either have you reinstall the Service pack. OR get an install of the Virtual Machine. This will be older. Then you can go to Windows Update and they will allow you to update the VM. It is important that you do that right away though. The older VM is full of holes and not something to run. But Windows Update will not allow you to install the updated version unless you already the the VM installed.

Or you might consider just installing Sun Java.

Are you talking about that new message at the top of tha page? That is for general information and everyone sees it.

Run the scan again and find out whre the files are. If in System restore then flush the restore points. We would do that after we were finished anyway. I do like to wait to be sure everything is working before flushing them.

To flush the XP system Restore Points.

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Mahsoggies · Sergeant Joined: Dec 29, 2003 Posts: 81 Location: USA

Well whenever i press the make log button nothing at all happens but in the window it says

Files Found---

Guardian Key--- is called:

User Agent String---

I will run the scan again and get the java file or whatever is needed, i am using windows service pack 1 A.

Thanks
Josh

Mahsoggies · Sergeant Joined: Dec 29, 2003 Posts: 81 Location: USA

Oh and which should i do, get the old VM or Java SUN?

Josh

Mosaic1 · Posted: Wed Jun 02, 2004 6:56 pm Post subject:

That's why no java. They removed it in SP1a so you won't have it.

what do you want to do? Get the more secure Sun Java and install? Or go for the MS java?

Mosaic1 · Posted: Wed Jun 02, 2004 7:53 pm Post subject:

In order to get the latest MS VM you have to have the old one installed. Then you go to Windows Update and they will allow you to upgrade.

You have to do that right away because the old version is loaded with security risks. It is getting more and more difficult to find a safe place to download the old MS VM too. I would have to search for one and couldn't say 100% that it was safe. MS no longer has it available.

Or just go over to Sun and get theirs.

Here's the link to SUN:
http://java.com/en/index.jsp

Test your Notepad.exe to be sure it is ok. Right click on Notepad.exe and choose properties. Be sure it is the Microsoft file.

You should have two copies. One in the Windows Folder and another in System32.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 764 pages served in previous 5 minutes. Page Rendered: 0.484 seconds.