[Kuruption]

Well, i was told that this was the board to be at when u are having PC troubles. I.E. Hijackers, spyware, etc... My PC has been having some issues with slow down. This slow down as at the point, it took me an hour to get this far. From all the closing of the pop-up screens, not to mention that search bar in the lower right hand corner of my screen. Well here is my log, maybe you could point me in the right direction of what to do... By the way, i have CCleaner, Ad-Aware, Spybot, and LQFix.

Thanks who view and reply! As promised, here is the log:

Logfile of HijackThis v1.98.2
Scan saved at 6:13:20 PM, on 3/22/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\system32\RUNDLL32.exe
C:\WINNT\isrvs\desktop.exe
C:\Documents and Settings\The Albrechts\Application Data\cilo.exe
C:\WINNT\system32\??rvices.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\Program Files\ISTsvc\istsvc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINNT\dlmax.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll (file missing)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: (no name) - {AF3FCBEB-7257-03F4-7D23-70C2B9554298} - C:\WINNT\system32\zaesvf.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [n6MGSf8Ah] C:\WINNT\gdliu.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [yxqoei] c:\winnt\system32\yxqoei.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [gofi51j4] C:\Program Files\gofi51j4\gofi51j4.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\Fbufgv.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKCU\..\Run: [fuoq] C:\PROGRA~1\COMMON~1\fuoq\fuoqm.exe
O4 - HKCU\..\Run: [Hsts] C:\Documents and Settings\The Albrechts\Application Data\cilo.exe
O4 - HKCU\..\Run: [Hxodemo] C:\WINNT\system32\??rvices.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyh.../stream/mmp.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll

[Advertisements]

Welcome to Geeks to Go!
First, I need you to download the latest version of HiJackThis.
Click Here to download the latest version (1.99.1). Please save it in a permanent folder (such as C:\HJT). This is to ensure that backups are saved and accessible in the event you should need it.

Make sure you are disconnected from the Internet and all windows and programs are closed. Run HiJack This and post your new log here.

Michelle

[Michelle]

Welcome to Geeks to Go!
First, I need you to download the latest version of HiJackThis.
Click Here to download the latest version (1.99.1). Please save it in a permanent folder (such as C:\HJT). This is to ensure that backups are saved and accessible in the event you should need it.

Make sure you are disconnected from the Internet and all windows and programs are closed. Run HiJack This and post your new log here.

Michelle

[Kuruption]

After doing some reading and what not, i think i have gotten most.

here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 12:18:25 AM, on 3/23/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\Mixer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\The Albrechts\Local Settings\Temporary Internet Files\Content.IE5\OXU7K9U7\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.yahoo.com
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe


not sure what this is:

O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe

[Michelle]

First, I need you to move HiJackThis to a permanent folder. This ensures backups are saved and accessible. This is VITAL as we have many things to remove from your system and we need to make sure there is a backup!
1.) Go into Windows explorer (located in Start > Programs > Accessories).
2.) Click the (C:) drive to highlight it.
3.) Go up to "File > New" (located at the top left corner of your screen) then click "Folder".
4.) Please name this folder "HJT".
5.) Locate HiJackThis.exe in C:\Documents and Settings\The Albrechts\Local Settings\Temporary Internet Files\Content.IE5\OXU7K9U7\HijackThis[1].exe
6.) Right click on HiJackThis.exe and go to "cut".
7.) Find the folder you just made in the C: drive (HJT). Go into the folder, right click on an open space and click "paste".

Michelle

Edited by bananafanafo, 23 March 2005 - 12:31 AM.

[Kuruption]

There i created a directory for hijack this. Here is a new log file:

Logfile of HijackThis v1.99.1
Scan saved at 11:15:53 AM, on 3/23/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\HJT\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.yahoo.com
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

[Michelle]

You did a really good job on cleaningyour system up since your original log! Just a couple of difficult items to remove.

First, I need you to run both of these online virus scans:
TrendMicro's HouseCall - check "Auto Clean"
ActiveScan

Then, copy the results of both scans and paste them here.

Michelle

[Kuruption]

This is taking awhile. Trend-micro removed 2 trojans. Panda active scan has 29 objects that are infected, 1 suspicious, and 2 cleaned. It's not even half way done, so i appologize for that wait.

Gio

[Michelle]

It's no problem at all!

I'll just keep checking back

Michelle

[Kuruption]

Here is a panda log:


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\WINNT\system32\cache\cxtpls_loader.exe
Adware:Adware/Sqwire No disinfected Windows Registry
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\The Albrechts\Application Data\sskknwrd.dll
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\The Albrechts\Favorites\Casino & Carrers
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Virus:Trj/Delprot.A Disinfected C:\WINNT\system32\drivers\delprot.sys
Spyware:Spyware/ISTbar No disinfected C:\WINNT\system32\tsuninst.exe
Adware:Adware/ISearch No disinfected C:\WINNT\system32\Cache\MTE0MzA6ODoxMg.exe
Spyware:Spyware/ClearSearch No disinfected C:\WINNT\system32\Cache\CSv13P108.exe
Adware:Adware/Apropos No disinfected C:\WINNT\system32\Cache\cxtpls_loader.exe
Adware:Adware/MyWay No disinfected C:\WINNT\system32\Cache\s4Sept.exe
Adware:Adware/VirtualBouncer No disinfected C:\WINNT\system32\Cache\wrapperouter.exe
Adware:Adware/nCase No disinfected C:\WINNT\system32\Cache\saie1101.exe
Virus:Trj/Delf.EB Disinfected C:\WINNT\system32\Cache\HelperInstall.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\system32\Cache\installer_MARKETING17.exe
Adware:Adware/AdLogix No disinfected C:\WINNT\system32\Cache\videoinst.exe
Adware:Adware/nCase No disinfected C:\WINNT\system32\Cache\pop.exe
Adware:Adware/TopRebates No disinfected C:\WINNT\system32\Cache\WebRebates_Auto_InstallSilent.exe
Adware:Adware/Transponder No disinfected C:\WINNT\inf\Pynix.inf
Spyware:Spyware/BetterInet No disinfected C:\WINNT\inf\ceres.inf
Adware:Adware/Transponder No disinfected C:\WINNT\inf\dlmax.inf
Adware:Adware/Transponder No disinfected C:\WINNT\dlmax.dll
Adware:Adware/Transponder No disinfected C:\WINNT\Pynix.dll
Spyware:Spyware/Dyfuca No disinfected C:\WINNT\inst\3p_1.exe
Adware:Adware/EliteBar No disinfected C:\WINNT\sideb.exe
Spyware:Spyware/BetterInet No disinfected C:\WINNT\Buddy.exe
Adware:Adware/StartPage.DD No disinfected C:\WINNT\protector_update.exe
Possible Virus. No disinfected C:\Documents and Settings\The Albrechts\Local Settings\Temp\ptf_0004.exe
Possible Virus. No disinfected C:\Program Files\Windows Media Player\wmplayer.exe
Adware:Adware/Transponder No disinfected C:\unzipped\hijackthis\backups\backup-20050322-172609-266.dll
Adware:Adware/EliteBar No disinfected C:\unzipped\hijackthis\backups\backup-20050322-172614-193.dll
Adware:Adware/Transponder No disinfected C:\unzipped\hijackthis\backups\backup-20050322-222213-207.dll
Adware:Adware/PurityScan No disinfected C:\unzipped\hijackthis\backups\backup-20050322-222213-271.dll

[Michelle]

Ok this is going to take a little while to do! You'll have to run Panda again a couple of times (probably), but you don't have to yet!

Click Here to download Killbox.

*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

C:\WINNT\system32\drivers\delprot.sys
C:\WINNT\system32\tsuninst.exe
C:\WINNT\inf\Pynix.inf
C:\WINNT\inf\ceres.inf
C:\WINNT\inf\dlmax.inf
C:\WINNT\dlmax.dll
C:\WINNT\Pynix.dll
C:\WINNT\inst\3p_1.exe
C:\WINNT\sideb.exe
C:\WINNT\Buddy.exe
C:\WINNT\protector_update.exe
C:\WINNT\isrvs\desktop.exe
C:\WINNT\isrvs\ffisearch.exe

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to reboot now, press the NO button. Press the NO button EVERYTIME until you have entered the LAST file path I have listed above. Only press the YES button after that LAST file path has been entered otherwise we'll have to do this all over again.

After you computer reboots, download and install this program:
CleanUp!

Run it.

Now make sure you are disconnected from the Internet and all programs and windows are closed, then run HiJackThis. Place a checkmark next to the following items, then click "FIX CHECKED":

O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe

Now, reboot into safe mode. You can do this by continually tapping the F8 key until a menu appears. Use your up arrow key and highlight Safe Mode, press enter.

Be sure you're able to VIEW Hidden files. Here are the instructions to do that: http://www.xtra.co.n...1916458,00.html

Using Windows Explorer, DELETE the following folder (in bold), if found:

C:\WINNT\isrvs

Reboot into normal mode and post a new HiJackThis log.

Edited by bananafanafo, 23 March 2005 - 03:56 PM.