Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware, Hijacker, Spyware. You name it [resolved]


  • This topic is locked This topic is locked

#1
Kuruption

Kuruption

    New Member

  • Member
  • Pip
  • 9 posts
Well, i was told that this was the board to be at when u are having PC troubles. I.E. Hijackers, spyware, etc... My PC has been having some issues with slow down. This slow down as at the point, it took me an hour to get this far. From all the closing of the pop-up screens, not to mention that search bar in the lower right hand corner of my screen. Well here is my log, maybe you could point me in the right direction of what to do... By the way, i have CCleaner, Ad-Aware, Spybot, and LQFix.

Thanks who view and reply! As promised, here is the log:

Logfile of HijackThis v1.98.2
Scan saved at 6:13:20 PM, on 3/22/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\system32\RUNDLL32.exe
C:\WINNT\isrvs\desktop.exe
C:\Documents and Settings\The Albrechts\Application Data\cilo.exe
C:\WINNT\system32\??rvices.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\Program Files\ISTsvc\istsvc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINNT\dlmax.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll (file missing)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: (no name) - {AF3FCBEB-7257-03F4-7D23-70C2B9554298} - C:\WINNT\system32\zaesvf.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [n6MGSf8Ah] C:\WINNT\gdliu.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [yxqoei] c:\winnt\system32\yxqoei.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [gofi51j4] C:\Program Files\gofi51j4\gofi51j4.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\Fbufgv.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKCU\..\Run: [fuoq] C:\PROGRA~1\COMMON~1\fuoq\fuoqm.exe
O4 - HKCU\..\Run: [Hsts] C:\Documents and Settings\The Albrechts\Application Data\cilo.exe
O4 - HKCU\..\Run: [Hxodemo] C:\WINNT\system32\??rvices.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyh.../stream/mmp.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
  • 0

Advertisements


#2
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Welcome to Geeks to Go!
First, I need you to download the latest version of HiJackThis.
Click Here to download the latest version (1.99.1). Please save it in a permanent folder (such as C:\HJT). This is to ensure that backups are saved and accessible in the event you should need it.

Make sure you are disconnected from the Internet and all windows and programs are closed. Run HiJack This and post your new log here.

Michelle :tazz:
  • 0

#3
Kuruption

Kuruption

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
After doing some reading and what not, i think i have gotten most.

here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 12:18:25 AM, on 3/23/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\Mixer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\The Albrechts\Local Settings\Temporary Internet Files\Content.IE5\OXU7K9U7\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.yahoo.com
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe


not sure what this is:

O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
  • 0

#4
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
First, I need you to move HiJackThis to a permanent folder. This ensures backups are saved and accessible. This is VITAL as we have many things to remove from your system and we need to make sure there is a backup!
1.) Go into Windows explorer (located in Start > Programs > Accessories).
2.) Click the (C:) drive to highlight it.
3.) Go up to "File > New" (located at the top left corner of your screen) then click "Folder".
4.) Please name this folder "HJT".
5.) Locate HiJackThis.exe in C:\Documents and Settings\The Albrechts\Local Settings\Temporary Internet Files\Content.IE5\OXU7K9U7\HijackThis[1].exe
6.) Right click on HiJackThis.exe and go to "cut".
7.) Find the folder you just made in the C: drive (HJT). Go into the folder, right click on an open space and click "paste".

Michelle

Edited by bananafanafo, 23 March 2005 - 12:31 AM.

  • 0

#5
Kuruption

Kuruption

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
There i created a directory for hijack this. Here is a new log file:

Logfile of HijackThis v1.99.1
Scan saved at 11:15:53 AM, on 3/23/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\HJT\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.yahoo.com
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
  • 0

#6
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You did a really good job on cleaningyour system up since your original log! Just a couple of difficult items to remove.

First, I need you to run both of these online virus scans:
TrendMicro's HouseCall - check "Auto Clean"
ActiveScan

Then, copy the results of both scans and paste them here.

Michelle :tazz:
  • 0

#7
Kuruption

Kuruption

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
This is taking awhile. Trend-micro removed 2 trojans. Panda active scan has 29 objects that are infected, 1 suspicious, and 2 cleaned. It's not even half way done, so i appologize for that wait.

Gio
  • 0

#8
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
It's no problem at all!

I'll just keep checking back :tazz:

Michelle
  • 0

#9
Kuruption

Kuruption

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here is a panda log:


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\WINNT\system32\cache\cxtpls_loader.exe
Adware:Adware/Sqwire No disinfected Windows Registry
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\The Albrechts\Application Data\sskknwrd.dll
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\The Albrechts\Favorites\Casino & Carrers
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Virus:Trj/Delprot.A Disinfected C:\WINNT\system32\drivers\delprot.sys
Spyware:Spyware/ISTbar No disinfected C:\WINNT\system32\tsuninst.exe
Adware:Adware/ISearch No disinfected C:\WINNT\system32\Cache\MTE0MzA6ODoxMg.exe
Spyware:Spyware/ClearSearch No disinfected C:\WINNT\system32\Cache\CSv13P108.exe
Adware:Adware/Apropos No disinfected C:\WINNT\system32\Cache\cxtpls_loader.exe
Adware:Adware/MyWay No disinfected C:\WINNT\system32\Cache\s4Sept.exe
Adware:Adware/VirtualBouncer No disinfected C:\WINNT\system32\Cache\wrapperouter.exe
Adware:Adware/nCase No disinfected C:\WINNT\system32\Cache\saie1101.exe
Virus:Trj/Delf.EB Disinfected C:\WINNT\system32\Cache\HelperInstall.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\system32\Cache\installer_MARKETING17.exe
Adware:Adware/AdLogix No disinfected C:\WINNT\system32\Cache\videoinst.exe
Adware:Adware/nCase No disinfected C:\WINNT\system32\Cache\pop.exe
Adware:Adware/TopRebates No disinfected C:\WINNT\system32\Cache\WebRebates_Auto_InstallSilent.exe
Adware:Adware/Transponder No disinfected C:\WINNT\inf\Pynix.inf
Spyware:Spyware/BetterInet No disinfected C:\WINNT\inf\ceres.inf
Adware:Adware/Transponder No disinfected C:\WINNT\inf\dlmax.inf
Adware:Adware/Transponder No disinfected C:\WINNT\dlmax.dll
Adware:Adware/Transponder No disinfected C:\WINNT\Pynix.dll
Spyware:Spyware/Dyfuca No disinfected C:\WINNT\inst\3p_1.exe
Adware:Adware/EliteBar No disinfected C:\WINNT\sideb.exe
Spyware:Spyware/BetterInet No disinfected C:\WINNT\Buddy.exe
Adware:Adware/StartPage.DD No disinfected C:\WINNT\protector_update.exe
Possible Virus. No disinfected C:\Documents and Settings\The Albrechts\Local Settings\Temp\ptf_0004.exe
Possible Virus. No disinfected C:\Program Files\Windows Media Player\wmplayer.exe
Adware:Adware/Transponder No disinfected C:\unzipped\hijackthis\backups\backup-20050322-172609-266.dll
Adware:Adware/EliteBar No disinfected C:\unzipped\hijackthis\backups\backup-20050322-172614-193.dll
Adware:Adware/Transponder No disinfected C:\unzipped\hijackthis\backups\backup-20050322-222213-207.dll
Adware:Adware/PurityScan No disinfected C:\unzipped\hijackthis\backups\backup-20050322-222213-271.dll
  • 0

#10
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok this is going to take a little while to do! You'll have to run Panda again a couple of times (probably), but you don't have to yet!

Click Here to download Killbox.

*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

C:\WINNT\system32\drivers\delprot.sys
C:\WINNT\system32\tsuninst.exe
C:\WINNT\inf\Pynix.inf
C:\WINNT\inf\ceres.inf
C:\WINNT\inf\dlmax.inf
C:\WINNT\dlmax.dll
C:\WINNT\Pynix.dll
C:\WINNT\inst\3p_1.exe
C:\WINNT\sideb.exe
C:\WINNT\Buddy.exe
C:\WINNT\protector_update.exe
C:\WINNT\isrvs\desktop.exe
C:\WINNT\isrvs\ffisearch.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to reboot now, press the NO button. Press the NO button EVERYTIME until you have entered the LAST file path I have listed above. Only press the YES button after that LAST file path has been entered otherwise we'll have to do this all over again.

After you computer reboots, download and install this program:
CleanUp!

Run it.

Now make sure you are disconnected from the Internet and all programs and windows are closed, then run HiJackThis. Place a checkmark next to the following items, then click "FIX CHECKED":

O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe


Now, reboot into safe mode. You can do this by continually tapping the F8 key until a menu appears. Use your up arrow key and highlight Safe Mode, press enter.

Be sure you're able to VIEW Hidden files. Here are the instructions to do that: http://www.xtra.co.n...1916458,00.html

Using Windows Explorer, DELETE the following folder (in bold), if found:

C:\WINNT\isrvs

Reboot into normal mode and post a new HiJackThis log.

Edited by bananafanafo, 23 March 2005 - 03:56 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP