randomly named dos based processes

well i hoped i could solve this problem on my own but to no avail. i get popups of randomly named dos based processes and constant "initialization error" popups. I have symanted and all the latest windows updates but still nothing....

the best i could make of the dos programs running were the abreviated names, things like:

I1QUCG~1.EXE
mt5ve6.exe
XMLJPO~1.EXE

doing a search for these i found absolutely nothing.

here's my log file. hopefully you'll be able to find something.


Logfile of HijackThis v1.97.7
Scan saved at 7:31:27 PM, on 10/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\SYMANT~1\VPTray.exe
E:\WINDOWS\System32\qttask.exe
E:\WINDOWS\system32\SPnt.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\Administrator\My Documents\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] E:\WINDOWS\System32\qttask.exe
O4 - HKCU\..\Run: [SPnt] E:\WINDOWS\system32\SPnt.exe
O4 - HKCU\..\Run: [areslite] "E:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: LimeWire 4.0.8.lnk = E:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Hi blamo!,

Please update HijackThis, you are using an outdated version:

Open HijackThis, click Config > Misc Tools > Check for Update online

Or download a copy of version 1.98.2 at:

http://www.majorgeeks.com/download3155.html

Post a fresh log with this new version.

Tom

here is my new log. thanks for the response.

Logfile of HijackThis v1.98.2
Scan saved at 2:10:41 AM, on 10/16/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\SYMANT~1\VPTray.exe
E:\WINDOWS\System32\qttask.exe
E:\WINDOWS\system32\SPnt.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\phpdev5\apache\Apache.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\phpdev5\apache\Apache.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\Administrator\Desktop\HijackThis.exe
E:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-mdude
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-mdude
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] E:\WINDOWS\System32\qttask.exe
O4 - HKCU\..\Run: [SPnt] E:\WINDOWS\system32\SPnt.exe
O4 - HKCU\..\Run: [areslite] "E:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis.

Please move or unzip HijackThis to a permanent folder such as C:\HJT It is important that it is in it's own folder as it will make important backups of what we will fix.

Please open My Computer > double-click your C:\ drive > File > New > Folder > name it HJT and put HijackThis into that folder.

Next....

Logoff your internet connection.Please press Ctrl-Alt-Delete and open Task Manager. End the following process by selecting it and pressing the End Process button and clicking Yes to the confirmation message:

SPnt.exe

Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-mdude
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-mdude
O4 - HKCU\..\Run: [SPnt] E:\WINDOWS\system32\SPnt.exe

These are resource hogs that are not needed at startup. You can safely remove these too:

O4 - HKLM\..\Run: [QuickTime Task] E:\WINDOWS\System32\qttask.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE

Next....

Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode.

Make sure your computer is configured to show all files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck the Hide Protected Operating System Files (recommended) option.
Click Yes to confirm.
Click OK.

Delete the following files:

E:\WINDOWS\system32\SPnt.exe

Empty your recycle bin.

Reboot normally and post a fresh HijackThis log.

Tom

Thank you for the instructions...here is my latest log file...

thanks in advance.


E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\phpdev5\apache\Apache.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\phpdev5\apache\Apache.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\system32\wuauclt.exe
E:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [areslite] "E:\Program Files\Ares Lite Edition\AresLite.exe" -h
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

Good work, the log is clean!!!

In light of the recent infections, let's purge system restore.

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.

Reboot

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 Click OK.

Create a new Restore Point:

Start > All Programs > Accessories > System Tools > System Restore > tick Create a Restore Point > Next > enter a name for the Restore Point Creation (Today, Removed Spyware, etc.) > Create > Close.

The date and time will automatically be added.

Then....

These are tools that will help keep you from getting infected again:

SpywareBlaster prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially dangerous sites in InternetExplorer.

http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

http://www.wilderssecurity.net/spywareguard.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

http://mvps.org/winhelp2002/hosts.htm

All are very small free programs. Occasionally check for updates.

Check for updates for Windows and Internet Explorer every week or so. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available" http://v4.windowsupdate.microsoft.com/

Please take a minute to read: So how did I get infected in the first place?

http://computercops.biz/postlite7736-.html

Tom

Thanks so much for the detailed instructions. I was on the verge of formating my hard drive this weekend and starting over... i havent seen a single strange popup since, so thanks!!

Your welcome. Happy to hear you didn't format

Tom