Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HJT Log - Browser hijacker [resolved]

Started by Chris J , Apr 12 2005 06:30 PM

  • This topic is locked This topic is locked

#1
Chris J
Posted 12 April 2005 - 06:30 PM

Chris J

    New Member

  • Member
  • Pip
  • 8 posts
I have followed advise given on other threads for this 'hotoffers' particular hijacker:-- http://www.geekstogo...nfo-t14051.html

I have run spyware/trojan pgms: Trendmicro Housecall / Bitdefender / Adaware SE / SpyBot. / Silent Runners & Pocket Killbox.

After the pocket killbox instruction i would rather have a malware expert check my HJT log and advise what needs deleting.


With the hotoffers site pushing out mostly [bleep] photos - and this being a family PC - it really needs sorting.

(general advise: ALWAYS read a pop-up window to see what it's about BEFORE clicking the 'OK' button - no matter how busy you are!!!!!)

I am now posting results from A) Adaware SE B) Silent Runners C) HJT log

=================================================
A)

The adaware finds the same three suspect objects:
ArchiveData(auto-quarantine- 2005-04-13 00-33-04.bckp)
Referencefile : SE1R37 07.04.2005

IEHIJACKER.HOTOFFERS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : clsid\{12345678-0000-0010-8000-00aaff6d2ea4}
obj[1]=RegValue : software\microsoft\windows\currentversion\explorer\sharedtaskscheduler "{12345678-0000-0010-8000-00AAFF6D2EA4}"

POSSIBLE BROWSER HIJACK ATTEMPT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[2]=RegData : S-1-5-21-1960408961-113007714-1060284298-1003\Software\Microsoft\Internet Explorer\Main "Start Page"


===============================================
B)


"Silent Runners.vbs", revision 34, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"Click2Share" = "C:\Program Files\Sitecom\C2SLoad.exe" [null data]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["America Online, Inc"]
"AS00_Gear311T" = "C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide" [" "]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"URLLSTCK.exe" = "C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe" ["Symantec Corporation"]
"Advanced Tools Check" = "C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"DiskeeperSystray" = ""C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"" ["Executive Software International, Inc."]
"AOL Spyware Protection" = ""C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"" [null data]
"WinPatrol" = "C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" ["BillP Studios"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Web assistant"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\systr.dll" [null data]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Startup items in "Chris" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"AOL 9.0 Tray Icon" -> shortcut to: "C:\Program Files\AOL 9.0b\aoltray.exe -check" ["America Online, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Picture Package VCD Maker" -> shortcut to: "C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe -h" ["Sony Corporation."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
%SystemRoot%\system32\mswsock.dll [MS], 1 - 3


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {CLSID}\(Default) = "Web assistant"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {CLSID}\(Default) = "Web assistant"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\
-> {CLSID}\(Default) = "Real.com"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}\
(Default) = "&Discuss"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


HOSTS file
----------

C:\WINDOWS\system32\Drivers\Etc\HOSTS

maps: 16 domain names to IP addresses,
15 of the IP addresses are *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, ""C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"" ["America Online, Inc."]
C2Share, C2Share, "C:\Program Files\Sitecom\IFR_Share.exe" [empty string]
Diskeeper, Diskeeper, "C:\Program Files\Executive Software\Diskeeper\DkService.exe" ["Executive Software International, Inc."]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
SAVScan, SAVScan, "C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


==========================================

C)

Logfile of HijackThis v1.99.1
Scan saved at 00:41:33, on 13/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Sitecom\IFR_Share.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Sitecom\C2SLoad.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\AOL 9.0b\aoltray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0b\waol.exe
C:\Program Files\AOL 9.0b\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Documents and Settings\Chris\Desktop\Spy ware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/179
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 amazon.com
O1 - Hosts: 69.50.173.4 www.amazon.com
O1 - Hosts: 69.50.173.4 aol.com
O1 - Hosts: 69.50.173.4 www.aol.com
O1 - Hosts: 69.50.173.4 earthlink.net
O1 - Hosts: 69.50.173.4 www.earthlink.net
O1 - Hosts: 69.50.173.4 ebay.com
O1 - Hosts: 69.50.173.4 www.ebay.com
O1 - Hosts: 69.50.173.4 go.com
O1 - Hosts: 69.50.173.4 www.go.com
O1 - Hosts: 69.50.173.4 icq.com
O1 - Hosts: 69.50.173.4 www.icq.com
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Click2Share] C:\Program Files\Sitecom\C2SLoad.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc....kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108219333306
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.163.254...hm::/update.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F94560A8-F44D-4B7F-B892-BC723C8F7028}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: C2Share - Unknown owner - C:\Program Files\Sitecom\IFR_Share.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

=============================================



many thanks
  • 0

Advertisements

#2
g2i2r4
Posted 14 April 2005 - 04:10 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome Chris J to Geeks to Go!

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit the program.

***

Click here to download eScan's mwav application. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.

***

Download Pocket Killbox.
by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it.

Select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:
the full path to the fill found bij eScan. I expect it to be:
C:\WINDOWS\System32\systr.dll. Be sure to paste the one it finds.

It will prompt you to reboot, press the YES button.

***

Open HijackThis.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/179

O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.163.254...hm::/update.exe

Click on Fix Checked when finished and exit HijackThis.
Press 'allow' if Spybot prompts you on a change.

***

Reboot again. Post back here in this topic with a fresh log using HijackThis.
  • 0

#3
shkdr
Posted 15 April 2005 - 07:53 AM

shkdr

    IT Professional

  • Member
  • PipPip
  • 24 posts
Edited by GeekU moderator.
If you are interested in helping please consider joining us in GeekU. you can apply here http://www.geekstogo...here-t4817.html

Edited by Efwis, 15 April 2005 - 12:47 PM.

  • 0

#4
Chris J
Posted 15 April 2005 - 03:12 PM

Chris J

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,

Mwav and HJT log as requested.
thanks

Mwav Results

File C:\WINDOWS\System32\guninst.exe infected by "Trojan-Dropper.Win32.Agent.hy" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Chris\LOCALS~1\Temp\tmp4C.tmp infected by "Trojan-Downloader.Win32.Murlo.b" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Chris\Desktop\Spy ware\hijackthis.log infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Chris\Desktop\Spy ware\hijackthistxt1.txt infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Chris\Local Settings\Temp\tmp4C.tmp infected by "Trojan-Downloader.Win32.Murlo.b" Virus. Action Taken: No Action Taken.
File C:\Program Files\AOL 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\AOL 9.0a\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\AOL 9.0b\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Common Files\aolback\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\14CA1190 infected by "not-a-virus:AdWare.Serch.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\1CA46D6B.exe infected by "Trojan-Downloader.Win32.Small.aiq" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\2834296A.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\31011BD4.dll infected by "Trojan-PSW.Win32.Small.bk" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\3A2B7F2F.class infected by "Trojan-Dropper.Java.Beyond.d" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\48ED2F7F infected by "Trojan-Dropper.Win32.Agent.hj" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\6CF8450F.class infected by "Trojan-Dropper.Java.Beyond.d" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\744C5751.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\776C05E1.exe infected by "Trojan-Downloader.Win32.Small.aiq" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\776C05E1.htm infected by "Trojan.JS.Seeker" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\77702FDD.exe infected by "Trojan-Downloader.Win32.Small.vq" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\777359DA.zip infected by "Trojan.Java.ClassLoader.h" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\778001CB.zip infected by "Trojan.Java.ClassLoader.h" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\77AE4D99.exe infected by "Trojan-Downloader.Win32.Small.aiq" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\77B17795.exe infected by "Trojan-Downloader.Win32.Small.vq" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\77B17795.htm infected by "Trojan.JS.Seeker" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\77B42192.exe infected by "Trojan-Downloader.Win32.Small.aiq" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\786152D3.htm infected by "Trojan-Downloader.JS.Psyme.ap" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\788520AC.zip infected by "Trojan.Java.Needy.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\79DF032F.htm infected by "Trojan-Downloader.JS.Psyme.ap" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\79F37F19.tmp infected by "Trojan-Downloader.JS.Psyme.ab" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\7A0A2500.tmp infected by "Virus.Win32.Bube.k" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\7A1422F5.tmp infected by "Trojan-Proxy.Win32.Small.an" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\7B810163.tmp infected by "Trojan-Downloader.JS.Psyme.ab" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\7BC3491B.zip infected by "Trojan.Java.Needy.c" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-1960408961-113007714-1060284298-1003\Dc21.log infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-1960408961-113007714-1060284298-1003\Dc22.log infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020088.exe infected by "Trojan-Dropper.Win32.Small.vi" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020089.exe infected by "Trojan-Dropper.Win32.Agent.gs" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020090.exe infected by "Trojan-Dropper.Win32.Small.ue" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020125.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020126.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020127.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020134.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020135.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020136.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020157.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020165.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020179.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020181.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020203.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020210.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020239.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP82\A0020240.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP86\A0020488.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP86\A0020605.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP86\A0020606.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP86\A0020662.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP86\A0020670.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP90\A0020761.dll infected by "Trojan-PSW.Win32.Small.bk" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP92\A0020851.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP92\A0020905.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP95\A0022012.dll infected by "Trojan-Downloader.Win32.Agent.ko" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP97\A0022127.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP97\A0022128.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP97\A0022148.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP97\A0022149.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP97\A0022151.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP97\A0022166.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{61B93737-3A54-4877-B169-B2CDC08DE89C}\RP97\A0022167.exe infected by "Trojan.Win32.Dialer.gx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\update.exe infected by "Trojan-Dropper.Win32.Small.vi" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\guninst.exe infected by "Trojan-Dropper.Win32.Agent.hy" Virus. Action Taken: No Action Taken.
File D:\new disk saves\AOL 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.


Logfile of HijackThis v1.99.1
Scan saved at 22:11:53, on 15/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Sitecom\IFR_Share.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Sitecom\C2SLoad.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\AOL 9.0b\aoltray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\AOL 9.0b\waol.exe
C:\Program Files\AOL 9.0b\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Documents and Settings\Chris\Desktop\Spy ware\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Click2Share] C:\Program Files\Sitecom\C2SLoad.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc....kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108219333306
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F94560A8-F44D-4B7F-B892-BC723C8F7028}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: C2Share - Unknown owner - C:\Program Files\Sitecom\IFR_Share.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


hope to hear from you soon

regards

Edited by Chris J, 15 April 2005 - 03:15 PM.

  • 0

#5
Chris J
Posted 15 April 2005 - 03:30 PM

Chris J

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks g2i2r4 - HOTOFFERS REMOVED!!!!!

Have rebooted after your advise and hotoffers has gone.

On the first reboot - WinPatrol advised of an attempted registry/default browser change from Hotoffers to Google which I allowed.

Is there anything else that shows up in the logs that needs to be deleted? There must be with all the mwav stuff - seems loads of qurantined stuff in Norton was picked up as well.

Thanks again - donation on it's way

Chris
  • 0

#6
g2i2r4
Posted 15 April 2005 - 04:50 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Thanks in advance Chris J for your donation!


Let's first take the biggest parts from that scan:

Open Norton and remove the quarantined files.

***

Go to start – rightclick this computer/my computer
Go to properties
Go to the tab system restore
Put a check to ’turn off system restore (on all drives).’
Press ‘apply’.
Remove the check to ’turn off system restore (on all drives).’
Press ‘apply’.
Now you have created a new restore point. I advise you to do that again once the scans returns clean.

***

Empty your recycle bin, also remove the files from the protected recycle bin if you have one.

***

1. Click Start, and then click Control Panel.
2. Click Performance and Maintenance.
3. Click Free up space on your hard disk.

The Disk Cleanup dialog box appears.
4. On the Disk Cleanup tab, select the following check boxes:
* Downloaded Program Files
* Temporary Internet Files
* Temporary Files
* Temporary Offline Files
* Offline Files
5. Click OK to delete the files from these locations.
6. When prompted, click Yes start the disk cleanup.

***

Download CleanUp!.
If the link doesn´t work, download it from here.

Find and doubleclick the file cleanup312.exe.

Go to option
Select ‘custom’
Put a check to:* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, log off and log on again. This will remove files that were in use during the scan.

***

Please do the Mwav scan again. Post the results here in your answer. Let's see what's left.
  • 0

#7
Chris J
Posted 16 April 2005 - 02:26 AM

Chris J

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
New Mwav results (slight difference from first one!!!!!!!!!!)


ile C:\WINDOWS\System32\guninst.exe infected by "Trojan-Dropper.Win32.Agent.hy" Virus. Action Taken: No Action Taken.


regards
  • 0

#8
g2i2r4
Posted 16 April 2005 - 02:35 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Looks good.
To be on the save site, let's have Panda clean that file and check if there's more.
Panda online scan
Make sure that you choose "fix" or "clean".

Reboot after the scan is completed.

Let me know how things are now.

Thanks for your donation :tazz:

Edited by g2i2r4, 16 April 2005 - 02:37 AM.

  • 0

#9
Chris J
Posted 16 April 2005 - 03:26 AM

Chris J

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Panda results -


Incident Status Location

Adware:Adware/CWS.Aboutblank No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7bfa8c57-7449cf23.RB0[Dummy.class]
Virus:Trj/Downloader.BCK Disinfected C:\WINDOWS\system32\guninst.exe
anything else i need to do now?
  • 0

#10
g2i2r4
Posted 16 April 2005 - 03:36 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Download:
CoolWWWSearch Smartkiller. Update and run it.
If it says:
"CoolWWWSearch.SmartKiller (v1/v2) has not been found on your system"
it's mean there is no infection found.

Download:
CWShredder.
Update it, open the program and choose FIX.

Let me know how things are now.
  • 0

Advertisements

#11
Chris J
Posted 17 April 2005 - 06:50 AM

Chris J

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
SmartKiller and Shredder clear.

Did get SpySubtract from the shredder link and that turned up one possible entry:

Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com

Is this anything to worry about?

cheers
  • 0

#12
g2i2r4
Posted 17 April 2005 - 07:02 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Are you using IE-SPYadd?
  • 0

#13
Chris J
Posted 17 April 2005 - 09:13 AM

Chris J

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Not that I know of!!!!!!!!!!!!!
  • 0

#14
g2i2r4
Posted 17 April 2005 - 10:02 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
If you don't know, you don't!

I've been checking that item, it seens to be OK.

I wouldn't change anything.

I take it the system is working OK now?
  • 0

#15
Chris J
Posted 17 April 2005 - 01:53 PM

Chris J

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Yes - ALL CLEAR WITH NO PROBLEMS

Many thanks for your help

Regards


Chris
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP