BackDoor.Madfind

triten82 · Guest

I have resently started geting a virus alert for BackDoor.Madfind, it pops up everytime I open the Internet or get a popup Evil or Very Mad

, and says that it has detected and removed the file. How do I get rid of this damned file for good!?

BillC · Posted: Mon Nov 03, 2003 9:18 am Post subject:

Have a look at the Symantec Security Response page on this trojan. Hopefully this will fix the problem.

Ponchie · Sergeant Joined: Nov 04, 2003 Posts: 85 Location: USA

I feel your pain! Symantec has been NO help! I don't understand why I paid them for anti-virus software--it doesn't prevent me from getting viruses, just tells me it's there and can't be fixed. I've followed their steps for removing this @#$% thing, and it comes back as soon as I reboot! Can anybody help me???????????????

BillC · Posted: Tue Nov 04, 2003 9:04 am Post subject:

If you have tried the step by step instructions on the Symantec site with no joy, then mabe a Hijack This log review will shed some light. Do this, go to the Hijack This page and download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log as a .txt file, and copy and paste its contents into your next post.

Most of what it lists will be harmless, so do not fix anything yet.

Maybe we can find and kill the trojan. I'm not as good as some on HJT logs, but there are people here who are.

Ponchie · Sergeant Joined: Nov 04, 2003 Posts: 85 Location: USA

Bill C--Thank you! I ran the check, and see a lot of bad-looking stuff. Here it is:
Logfile of HijackThis v1.97.3
Scan saved at 8:42:48 AM, on 11/4/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\rundll32.exe
C:\windows\winlogon.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://mommykiss.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mommykiss.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mommykiss.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-homepage.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-search.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mommykiss.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mommykiss.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://xwebsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?riqrq (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?riqrq (obfuscated)
R3 - URLSearchHook: MailTo Class - {01A9EB7D-69BC-11D2-AB2F-204C4F4F5020} - C:\WINDOWS\System32\astctl32.ocx
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\Owner\LOCALS~1\Temp\msnple.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: iWon Co-Pilot BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O2 - BHO: (no name) - {f760cb9e-c60f-4a89-890e-fae8b849493e} - C:\WINDOWS\madise.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\system32\BrowserHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\1.bin\IWONBAR.DLL
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - HKLM\..\Run: [keymgrldr] rundll32 setupapi,InstallHinfSection Oemkeymgr9x 128 keymgr3.inf
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe
O4 - HKCU\..\Run: [removed] C:\windows\removed.exe
O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
O4 - HKCU\..\Run: [rundll32] c:\windows\rundll32.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKLM\..\RunOnce: [WUpdate] C:\WINDOWS\System32\secupd3010.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Search - c:\windows\ex.htm
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.pluginaccess.com
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product/cam...taller.exe
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/...7690203312
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwe....0.0.5.cab
O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} (iWon Installer Start) - http://i1img.com/images/nocache/copilot....0.0.5.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...2564930556
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://66.230.143.209/loader/dploader.cab
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} (IRDIXAObj Class) -
O19 - User stylesheet: c:\windows\system.css
O19 - User stylesheet: C:\WINDOWS\default.css (file missing) (HKLM)

Any help at all is greatly appreciated!

CalamityJane · Posted: Tue Nov 04, 2003 10:31 am Post subject:

In addition to this trojan you have a ton of spyware in there. This is going to take a number of steps to clean your PC

First....this is your trojan. Run a Hijackthis scan and put an X in the box next to it and then hit the *Fix This* button.

O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe

Now follow the removal instructions from Symantec here:
http://www.symantec.com/avcenter/venc/d...dfind.html

Next, make sure you have the latest NAV update, disable System Restore (directions are in the link above) and run another AV scan. Delete anything it finds as Madfind.

Then, download either of these free anitspyware scanners. If you are a novice and have never used one before, you may find Adaware the easiest of the two to use. Get the latest updates for the program. Then run and scan and let it fix whatever it finds. If you have any questions, you can ask back here.

Adaware
http://www.lavasoft.de/software/adaware/

Adaware settings tips:
http://www.lavasoftsupport.com/index.php?showtopic=9240

Spybot Search and Destroy
http://www.safer-networking.org/

After running Adaware or Spybot, reboot and run once more the HijackThis. Post the new log here after following all the above steps. We will see what is left to fix or if anything came back.

Woody · Posted: Tue Nov 04, 2003 10:41 am Post subject:

And save all the virgins for the annual sacrifice Shocked

Ponchie · Sergeant Joined: Nov 04, 2003 Posts: 85 Location: USA

OK, the scan is running (had to do a bit of work, first). I'll download the adware, rerun the hijack, & get back to you in a few hours. I just don't know how to thank you--you've been a God-send! I was going crazy with this thing! Can I buy you dinner . . . . maybe name my first-born after you?????

techhead · Guest

There's a step that Symantec left out. You must unregister the browserhelper.dll file or you will keep getting virus warnings even though the virus is no longer on your system.
To do this open a command prompt and type regsvr32 /u browserhelper.dll press enter, then click ok.
Next search for the file Browserhelper.dll on your hard drive and delete it. If you don't unregister the file first you won't be able to delete it.

Ponchie · Guest

Thanks to all for good advice. Have completed all steps, and came up with the following:
Logfile of HijackThis v1.97.3
Scan saved at 3:07:19 PM, on 11/4/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\windows\removed.exe
C:\windows\winlogon.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.fastwebfinder.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fastwebfinder.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fastwebfinder.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/secure.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fastwebfinder.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://images.only-virgins.com/secure.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.fastwebfinder.com/hp.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?riqrq (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?riqrq (obfuscated)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {f760cb9e-c60f-4a89-890e-fae8b849493e} - C:\WINDOWS\madise.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - HKLM\..\Run: [keymgrldr] rundll32 setupapi,InstallHinfSection Oemkeymgr9x 128 keymgr3.inf
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe
O4 - HKCU\..\Run: [removed] C:\windows\removed.exe
O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [svc] C:\WINDOWS\system32\svc.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Search - c:\windows\ex.htm
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} - http://download.online-dialer.com/MaConnect.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/...7690203312
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwe....0.0.5.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...2564930556
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://66.230.143.209/loader/dploader.cab
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} (IRDIXAObj Class) -
O19 - User stylesheet: c:\windows\system.css (file missing)
O19 - User stylesheet: C:\WINDOWS\default.css (file missing) (HKLM)

I am no longer getting the message about the Madfind; however, I do have a "tooncom" virus--UGH!
It looks to me, though, like the Madfind is still in the registry . . . .
As for Techhead's advice, I'm not sure what you mean--where do I type in that command? (I'm not very knowledgeable when it comes to complicated computer issues)
For now, though, things seem to be running well (knock on wood). Once again, thank you, and I'll check back frequently for any new advice!

CalamityJane · Posted: Tue Nov 04, 2003 5:34 pm Post subject:

Ponchie, you have still got a ton of adware/spyware and browser hijacks there. *Sigh* I would have thought Adaware would have removed more than I am seeing here (did you run the Adaware scan after getting the update )?

It will take me a little while to go through that list to tell you what is safe to fix with HiJackThis, unless someone faster than I am comes along Smile

Give me a bit and check back later, ok?

Meanwhile, go to this link and follow the instructions to remove the MyWebSearch parasite and I'll be going over your list for you.

MyWebSearch
http://www.doxdesk.com/parasite/MySearch.html

Ponchie · Guest

Jane, you're awesome! I'll do what you suggested, and then check back to you. One thing I noticed is that my instant messenger won't work. Is that related, in any way, to the Adaware scan that I ran? I really need instant messenger . . . . . Thank you--again!

CalamityJane · Posted: Tue Nov 04, 2003 5:51 pm Post subject:

Ok - you also have another nasty one (CoolWebSearch), and it is best to use this special tool to remove it. The first link is the page that hosts the download for the tool and the second link is a direct download in a zip file.

http://www.spywareinfo.com/~merijn/cwschronicles.html

http://www.spywareinfo.com/~merijn/file...redder.zip

Run that after you have removed the MyWebsearch (up above) and then post a new HijackThis log Smile

We are getting there Rolling Eyes

Be patient and hang in here Smile

CalamityJane · Posted: Tue Nov 04, 2003 5:54 pm Post subject:

P.S. I am not sure about the messenger problem. We'll have to look into that (or else maybe someone here already know and can help you with that.)

Perhaps an uninstall and reinstall might be a quick way to fix that.

Ponchie · Guest

Wow! Here's the latest:
Logfile of HijackThis v1.97.3
Scan saved at 5:36:54 PM, on 11/4/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\windows\removed.exe
C:\windows\winlogon.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\ISTsvc\istsvc.exe

Jane, I'm serious about buying you dinner.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 804 pages served in previous 5 minutes. Page Rendered: 0.512 seconds.