Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Suspicion of Hijackers


  • Please log in to reply

#1
Slowest_Computer_Ever

Slowest_Computer_Ever

    New Member

  • Member
  • Pip
  • 8 posts
Programs like Firefox were closing as soon as being opened. That seems to have stopped though with the deleted of a virus in temporary internet files. That was about three days ago. When I logged on today I couldn't open any folders and the computer was running very slow. It was difficult to do anything so I rebooted in safe mode and ran the following programs(in the order listed): Spybot Search and Destroy (found three malicious registries and deleted them), Ad-aware (found 50 or so cookies and deleted), Spyhunter (found nothing), Ewido (found 53 cookies and a tracer? - deleted all), and finally AVG Free edition which didn't find anything.

I keep trying to use Panda ActiveScan but I just keep having bad luck and the power goes out or someone shuts off the computer.

Anyway, the computer seems better now, but I wanna make sure everything is gone so I can log into other accounts without having to worry about keyloggers.

So here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 2:24:28 AM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Sprint DSL virtual assistant\bin\mpbtn.exe
C:\Program Files\America Online 9.0e\waol.exe
C:\Program Files\America Online 9.0e\shellmon.exe
C:\Program Files\Adobe\Photoshop Elements 2\PhotoshopElements.exe
C:\Program Files\America Online 9.0e\aolwbspd.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jackie.COMPUTER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Anti-Trojan-Watch] C:\Program Files\Anti-Trojan-55\ATWatch.exe
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Sprint virtual assistant.lnk = C:\Program Files\Sprint DSL virtual assistant\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Graffiti - http://download2.gam...ts/y/grt5_x.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...75/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{76131B35-7AB7-4DFE-B3C9-77515FBA0DD3}: NameServer = 205.188.146.145
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe
  • 0

Advertisements


#2
Slowest_Computer_Ever

Slowest_Computer_Ever

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Finally got Panda ActiveScan Results:


Incident Status Location

Adware:adware/comet Not disinfected c:\windows\inf\dm.PNF
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Adware:adware/buddylinks Not disinfected Windows Registry
Adware:adware program Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
Adware:Adware/WebHancer Not disinfected C:\!KillBox\whagent.inf.dat[Documents and Settings/Nick/Local Settings/Temp/WZS4.tmp/whAgent.inf]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\jackie.COMPUTER\Application Data\Mozilla\Firefox\Profiles\ipoghig3.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\jackie.COMPUTER\Application Data\Mozilla\Firefox\Profiles\ipoghig3.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\jackie.COMPUTER\Application Data\Mozilla\Firefox\Profiles\ipoghig3.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\jackie.COMPUTER\Application Data\Mozilla\Firefox\Profiles\ipoghig3.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\jackie.COMPUTER\Application Data\Mozilla\Firefox\Profiles\ipoghig3.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\jackie.COMPUTER\Application Data\Mozilla\Firefox\Profiles\ipoghig3.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\jackie.COMPUTER\Application Data\Mozilla\Firefox\Profiles\ipoghig3.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\jackie.COMPUTER\Application Data\Mozilla\Firefox\Profiles\ipoghig3.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\jackie.COMPUTER\Application Data\Mozilla\Firefox\Profiles\ipoghig3.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\jackie.COMPUTER\Application Data\Mozilla\Firefox\Profiles\ipoghig3.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Nick\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\nick.COMPUTER\Cookies\[email protected][1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\nick.COMPUTER\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\nick.COMPUTER\Cookies\[email protected][2].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\nick.COMPUTER\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\nick.COMPUTER\Cookies\[email protected][1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\nick.COMPUTER\Cookies\[email protected][2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\nick.COMPUTER\Cookies\[email protected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\trav\Cookies\[email protected][1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat[Documents and Settings/jackie.COMPUTER/Cookies/[email protected][2].txt]
Spyware:Cookie/Belnk Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat[Documents and Settings/jackie.COMPUTER/Cookies/[email protected][1].txt]
Spyware:Cookie/Belnk Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat[Documents and Settings/jackie.COMPUTER/Cookies/[email protected][2].txt]
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat[Documents and Settings/jackie.COMPUTER/Cookies/[email protected][1].txt]
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat[Documents and Settings/jackie.COMPUTER/Cookies/[email protected][2].txt]
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP