annelore Posted October 7, 2005 Posted October 7, 2005 hi! thanks for the usefull support. I cleaned my computer with your antimalware package, but i still have some problems. When i connect to the internet, (i use firefox) an internet explorer window opens automatically and goes to this site (which doesn't open): "http://www.funbangladesh.com/blehx.html". Also there is a tool/searchbar that i don't want with buttons like 'online casino' 'ringtones', etc. If i try to click the 'uninstall' thing, i come to this site: "http://yupsearch.com/uninstall.php?ver=75&acc=r1chj4pqr" and i get pop-ups of this site. Can you help me? thanks, annelore from Belgium. here's my hijack this log: Logfile of HijackThis v1.99.1 Scan saved at 16:12:53, on 7/10/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:WINDOWSSystem32smss.exe C:WINDOWSsystem32csrss.exe C:WINDOWSsystem32winlogon.exe C:WINDOWSsystem32services.exe C:WINDOWSsystem32lsass.exe C:WINDOWSsystem32svchost.exe C:WINDOWSSystem32svchost.exe C:WINDOWSSystem32svchost.exe C:WINDOWSSystem32svchost.exe C:WINDOWSsystem32spoolsv.exe C:WINDOWSSystem32alg.exe C:PROGRA~1GrisoftAVG7avgamsvr.exe C:PROGRA~1GrisoftAVG7avgupsvc.exe C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe C:WINDOWSSystem32svchost.exe C:WINDOWSExplorer.EXE C:Program FilesCommon FilesRealUpdate_OBrealsched.exe C:WINDOWSSystem32wuauclt.exe C:Program FilesHewlett-PackardDigital ImagingUnloadhpqcmon.exe C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe C:Program FilesJavajre1.5.0_01binjusched.exe C:Program FilesQuickTimeqttask.exe C:Program FilesiTunesiTunesHelper.exe C:Program FilesThomsonSpeedTouch USBDragdiag.exe C:Program FilesSupport.combintgcmd.exe C:pichx.exe C:PROGRA~1GrisoftAVG7avgcc.exe C:PROGRA~1GrisoftAVG7avgemc.exe C:WINDOWSetbpokapoka75.exe C:WINDOWSSystem32ctfmon.exe C:Program FilesSkypePhoneSkype.exe C:Program Filesipttotsr.exe C:WINDOWSSystem32d?xplore.exe C:Program FilesSpyware Doctorswdoctor.exe C:Program FilesMicrosoft AntiSpywaregcasDtServ.exe C:Program FilesiPodbiniPodService.exe C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnf.exe C:Program FilesMozilla Firefoxfirefox.exe C:Documents and SettingsanneloreBureaubladHijackThis.exe R1 - HKCUSoftwareMicrosoftInternet Explorer,SearchURL = http://www.easysearch4you.com/sp2.php R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.easysearch4you.com/sp2.php R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.easysearch4you.com/sp2.php R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.radio1.be/ R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.easysearch4you.com/sp2.php R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Koppelingen O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx O4 - HKLM..Run: [NeroCheck] C:WINDOWSSystem32NeroCheck.exe O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot O4 - HKLM..Run: [CamMonitor] C:Program FilesHewlett-PackardDigital ImagingUnloadhpqcmon.exe O4 - HKLM..Run: [share-to-Web Namespace Daemon] C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe O4 - HKLM..Run: [sunJavaUpdateSched] C:Program FilesJavajre1.5.0_01binjusched.exe O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime O4 - HKLM..Run: [iTunesHelper] C:Program FilesiTunesiTunesHelper.exe O4 - HKLM..Run: [speedTouch USB Diagnostics] "C:Program FilesThomsonSpeedTouch USBDragdiag.exe" /icon O4 - HKLM..Run: [tgcmd] "C:Program FilesSupport.combintgcmd.exe" /server /startmonitor O4 - HKLM..Run: [FireWire Service] nvscv32.exe O4 - HKLM..Run: [Windows Process Manager] winproc.exe O4 - HKLM..Run: [REGWIN32] C:pichx.exe O4 - HKLM..Run: [dGTJw] C:WINDOWSjtplkt.exe O4 - HKLM..Run: [bO²ùð×y-¯Œ] C:WINDOWSjtplkt.exe O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVG7avgcc.exe /STARTUP O4 - HKLM..Run: [AVG7_EMC] C:PROGRA~1GrisoftAVG7avgemc.exe O4 - HKLM..Run: [gcasServ] "C:Program FilesMicrosoft AntiSpywaregcasServ.exe" O4 - HKLM..Run: [system service75] C:WINDOWSetbpokapoka75.exe O4 - HKLM..RunServices: [FireWire Service] nvscv32.exe O4 - HKLM..RunServices: [Windows Process Manager] winproc.exe O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe O4 - HKCU..Run: [skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized O4 - HKCU..Run: [Toat] "C:Program Filesipttotsr.exe" -vt mt O4 - HKCU..Run: [Otj] C:WINDOWSSystem32d?xplore.exe O4 - HKCU..Run: [spyware Doctor] "C:Program FilesSpyware Doctorswdoctor.exe" /Q O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~4Office10EXCEL.EXE/3000 O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:PROGRA~1SPYWAR~1toolsiesdpb.dll O9 - Extra button: Onderzoekscentrum - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:Program FilesCommon FilesMicrosoft SharedReference 2001EROProj.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengerMSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengerMSMSGS.EXE O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int12.exe O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/bel_ver32b.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128610703608 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128610598167 O17 - HKLMSystemCCSServicesTcpip..{4E21BD91-2422-4EA6-9EDC-9441DE74406C}: NameServer = 195.238.2.22 195.238.2.21 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgupsvc.exe O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:Program FilesiPodbiniPodService.exe O23 - Service: sdktemp - Unknown owner - C:WINDOWSsdktemp.exe (file missing)
Administrator Tarun Posted October 7, 2005 Administrator Posted October 7, 2005 You still have several infections. But we'll get them all cleaned up. Generated by Tarun's HijackThis Converter v0.43 Beta. Created registry value. Safe to remove: R1 - HKCUSoftwareMicrosoftInternet Explorer,SearchURL = http://www.easysearch4you.com/sp2.php R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.easysearch4you.com/sp2.php R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.easysearch4you.com/sp2.php Changed registry value. Safe to remove: R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.radio1.be/ Created registry value. Safe to remove: R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.easysearch4you.com/sp2.php Changed registry value. Safe to remove: R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Koppelingen Enumeration of suspicious auto-loading registry entries. Safe to remove: O4 - HKLM..Run: [NeroCheck] C:WINDOWSSystem32NeroCheck.exe O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot O4 - HKLM..Run: [share-to-Web Namespace Daemon] C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe O4 - HKLM..Run: [sunJavaUpdateSched] C:Program FilesJavajre1.5.0_01binjusched.exe O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime O4 - HKLM..Run: [iTunesHelper] C:Program FilesiTunesiTunesHelper.exe O4 - HKLM..Run: [tgcmd] "C:Program FilesSupport.combintgcmd.exe" /server /startmonitor O4 - HKLM..Run: [FireWire Service] nvscv32.exe O4 - HKLM..Run: [Windows Process Manager] winproc.exe O4 - HKLM..Run: [REGWIN32] C:pichx.exe O4 - HKLM..Run: [dGTJw] C:WINDOWSjtplkt.exe O4 - HKLM..Run: [bO²ùð×y-¯Œ] C:WINDOWSjtplkt.exe O4 - HKLM..Run: [system service75] C:WINDOWSetbpokapoka75.exe O4 - HKLM..RunServices: [FireWire Service] nvscv32.exe O4 - HKLM..RunServices: [Windows Process Manager] winproc.exe O4 - HKCU..Run: [Toat] "C:Program Filesipttotsr.exe" -vt mt O4 - HKCU..Run: [Otj] C:WINDOWSSystem32d?xplore.exe O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE Extra IE context menu items. Safe to remove: O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~4Office10EXCEL.EXE/3000 Downloaded Program Files item. Safe to remove: O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int12.exe O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/bel_ver32b.CAB Enumeration of NT Services. Safe to remove: O23 - Service: sdktemp - Unknown owner - C:WINDOWSsdktemp.exe (file missing) Use HijackThis to do the following: Config... Delete a file on reboot. C:Windowsetbnt_hide32.dll C:Windowsetbpokapoka75.exe You also have several viruses starting on bootup. I recommend getting ewido to clean out and remove some more malware and trojans. After that, please repost a log here.
annelore Posted October 7, 2005 Author Posted October 7, 2005 Use HijackThis to do the following: Config... Delete a file on reboot. C:Windowsetbnt_hide32.dll C:Windowsetbpokapoka75.exe ok, I only find the C:Windowsetbpokapoka75.exe in the log (the other one i can't find) and when i tried to check the box of the C:Windowsetbpokapoka75.exe and i want to do config and delete a file on reboot, i get an hourglass and the program freezes. In the mean time i'll have a look at te ewido.com ...
annelore Posted October 7, 2005 Author Posted October 7, 2005 Ok this is what i did: - i scanned with ewido - i tried to find C:Windowsetbnt_hide32.dll and C:Windowsetbpokapoka75.exe, but didn't find them so i couldn't delete after reboot... still, here's my log after the ewido scan Logfile of HijackThis v1.99.1 Scan saved at 19:53:22, on 7/10/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:WINDOWSSystem32smss.exe C:WINDOWSsystem32csrss.exe C:WINDOWSsystem32winlogon.exe C:WINDOWSsystem32services.exe C:WINDOWSsystem32lsass.exe C:WINDOWSsystem32svchost.exe C:WINDOWSSystem32svchost.exe C:WINDOWSSystem32svchost.exe C:WINDOWSSystem32svchost.exe C:WINDOWSsystem32spoolsv.exe C:WINDOWSSystem32alg.exe C:PROGRA~1GrisoftAVG7avgamsvr.exe C:PROGRA~1GrisoftAVG7avgupsvc.exe C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe C:WINDOWSSystem32svchost.exe C:WINDOWSExplorer.EXE C:Program FilesCommon FilesRealUpdate_OBrealsched.exe C:Program FilesHewlett-PackardDigital ImagingUnloadhpqcmon.exe C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe C:Program FilesJavajre1.5.0_01binjusched.exe C:Program FilesQuickTimeqttask.exe C:Program FilesiTunesiTunesHelper.exe C:Program FilesThomsonSpeedTouch USBDragdiag.exe C:Program FilesSupport.combintgcmd.exe C:PROGRA~1GrisoftAVG7avgcc.exe C:PROGRA~1GrisoftAVG7avgemc.exe C:WINDOWSetbpokapoka75.exe C:WINDOWSSystem32ctfmon.exe C:Program FilesSkypePhoneSkype.exe C:Program Filesipttotsr.exe C:WINDOWSSystem32d?xplore.exe C:Program FilesSpyware Doctorswdoctor.exe C:WINDOWSSystem32wuauclt.exe C:Program FilesMicrosoft AntiSpywaregcasDtServ.exe C:Program FilesiPodbiniPodService.exe C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnf.exe C:Program Filesewidosecurity suiteewidoguard.exe C:Program Filesewidosecurity suiteewidoctrl.exe C:Documents and SettingsanneloreBureaubladHijackThis.exe R1 - HKCUSoftwareMicrosoftInternet Explorer,SearchURL = http://www.easysearch4you.com/sp2.php R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.easysearch4you.com/sp2.php R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.easysearch4you.com/sp2.php R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.radio1.be/ R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.easysearch4you.com/sp2.php R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Koppelingen O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:PROGRA~1SPYWAR~1toolsiesdsg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:PROGRA~1SPYWAR~1toolsiesdpb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx O4 - HKLM..Run: [NeroCheck] C:WINDOWSSystem32NeroCheck.exe O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot O4 - HKLM..Run: [CamMonitor] C:Program FilesHewlett-PackardDigital ImagingUnloadhpqcmon.exe O4 - HKLM..Run: [share-to-Web Namespace Daemon] C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe O4 - HKLM..Run: [sunJavaUpdateSched] C:Program FilesJavajre1.5.0_01binjusched.exe O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime O4 - HKLM..Run: [iTunesHelper] C:Program FilesiTunesiTunesHelper.exe O4 - HKLM..Run: [speedTouch USB Diagnostics] "C:Program FilesThomsonSpeedTouch USBDragdiag.exe" /icon O4 - HKLM..Run: [tgcmd] "C:Program FilesSupport.combintgcmd.exe" /server /startmonitor O4 - HKLM..Run: [FireWire Service] nvscv32.exe O4 - HKLM..Run: [Windows Process Manager] winproc.exe O4 - HKLM..Run: [dGTJw] C:WINDOWSjtplkt.exe O4 - HKLM..Run: [bO²ùð×y-¯Œ] C:WINDOWSjtplkt.exe O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVG7avgcc.exe /STARTUP O4 - HKLM..Run: [AVG7_EMC] C:PROGRA~1GrisoftAVG7avgemc.exe O4 - HKLM..Run: [gcasServ] "C:Program FilesMicrosoft AntiSpywaregcasServ.exe" O4 - HKLM..Run: [system service75] C:WINDOWSetbpokapoka75.exe O4 - HKLM..RunServices: [FireWire Service] nvscv32.exe O4 - HKLM..RunServices: [Windows Process Manager] winproc.exe O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe O4 - HKCU..Run: [skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized O4 - HKCU..Run: [Toat] "C:Program Filesipttotsr.exe" -vt mt O4 - HKCU..Run: [Otj] C:WINDOWSSystem32d?xplore.exe O4 - HKCU..Run: [spyware Doctor] "C:Program FilesSpyware Doctorswdoctor.exe" /Q O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~4Office10EXCEL.EXE/3000 O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:PROGRA~1SPYWAR~1toolsiesdpb.dll O9 - Extra button: Onderzoekscentrum - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:Program FilesCommon FilesMicrosoft SharedReference 2001EROProj.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengerMSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengerMSMSGS.EXE O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int12.exe O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/bel_ver32b.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128610703608 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128610598167 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgupsvc.exe O23 - Service: ewido security suite control - ewido networks - C:Program Filesewidosecurity suiteewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:Program Filesewidosecurity suiteewidoguard.exe O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:Program FilesiPodbiniPodService.exe O23 - Service: sdktemp - Unknown owner - C:WINDOWSsdktemp.exe (file missing) THANKS!!
Administrator Tarun Posted October 7, 2005 Administrator Posted October 7, 2005 Use HijackThis to do the following: Press the Config... button. Delete a file on reboot. In the box that pops up enter these two: C:Windowsetbnt_hide32.dll C:Windowsetbpokapoka75.exe
annelore Posted October 8, 2005 Author Posted October 8, 2005 I tried to do that but I get the message 'pad doesn't exist, check if the filename is correct' (I translated this from dutch to english).
Administrator Tarun Posted October 8, 2005 Administrator Posted October 8, 2005 Does that happen for both, or just the one? Cause your HijackThis log even says C:WINDOWSetbpokapoka75.exe and the nthide dll is in that folder.
annelore Posted October 8, 2005 Author Posted October 8, 2005 both, and if i search myself, the etb folder doesn't exist, even not when hidden folders and files are shown...a mistery? :-)
Administrator Tarun Posted October 8, 2005 Administrator Posted October 8, 2005 It's due to the nthide.dll. If you go to Start, Run, cmd cd C:Windowsetb dir /w You'll see there are even folders inside of it. Deleting nthide.dll and pokapoka75.exe can then happen.
Recommended Posts