Edited by mmcarr, 02 January 2004 - 08:28 AM.
Virus Problems
Started by
mmcarr
, Jan 02 2004 08:23 AM
#1
Posted 02 January 2004 - 08:23 AM
#2
Posted 02 January 2004 - 10:41 AM
Hi mmcarr
Welcome to geekstogo
Have you tryed to run the tools off the nortons cd ? have you tried to restore to a date before the problem started? try to do these if you have not done so. repost and let us know if you need more help if you can get the system so it can get on the internet there are so good virus scans you can run on line.
Welcome to geekstogo
Have you tryed to run the tools off the nortons cd ? have you tried to restore to a date before the problem started? try to do these if you have not done so. repost and let us know if you need more help if you can get the system so it can get on the internet there are so good virus scans you can run on line.
#3
Posted 02 January 2004 - 11:00 AM
I downloaded Norton from the Internet, so I dont have the CD. I thought I had everything worked out until two days ago. I followed nortons instructions to turn of my restore, now I have no dates to restore back to. When I call up Norton, it pops up then dissappears, If i keep trying it will eventually come up but wont do nothing. My modem wont come up anymore. I have read your spyware, do you think I could have some kind of spyware on my computer.
#4
Posted 03 January 2004 - 01:40 AM
Hi
you can down load spybot and see if you have any but its 3.5 mb. frist thing we should get you back so you can get on the web what do you use for the internet dsl dailup cable?
you can down load spybot and see if you have any but its 3.5 mb. frist thing we should get you back so you can get on the web what do you use for the internet dsl dailup cable?
#5
Posted 05 January 2004 - 01:12 PM
I ran the spybot, I followed the instructions. My modem would not come up, I have dial up. So I unistalled the program (which is sbcglobal). Then I got the disc and tried to reload the program. My computer wont run it. I cant call up the help file, or system restore. I was thinking I should delete everything and start all over.
#6
Posted 05 January 2004 - 01:23 PM
Hi mmcarr,
Let's try this, see the HiJack This Guide link in my signature. Download, run, and copy the log into this topic.
edit: I see you don't have Internet access on your computer, but you'll be able to save HiJack This to a floppy, run it on your system, and then save the log as a notepad file. Copy to your floppy. When you get to a computer w/Internet access, copy the text from this notepad file and paste it to this topic.
Let's try this, see the HiJack This Guide link in my signature. Download, run, and copy the log into this topic.
edit: I see you don't have Internet access on your computer, but you'll be able to save HiJack This to a floppy, run it on your system, and then save the log as a notepad file. Copy to your floppy. When you get to a computer w/Internet access, copy the text from this notepad file and paste it to this topic.
Edited by admin, 05 January 2004 - 01:24 PM.
#7
Posted 06 January 2004 - 05:01 PM
Logfile of HijackThis v1.97.7
Scan saved at 7:46:45 PM, on 1/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\System32\systry.exe
C:\WINDOWS\System32\LSAS.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Jim Howlett.PAM\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oecadvantage.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oecadvantage.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OEC Advantage
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Windows SYStry] systry.exe
O4 - HKLM\..\Run: [JAKRICFT] C:\WINDOWS\JAKRICFT.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [VFSMGQQUO] C:\WINDOWS\VFSMGQQUO.exe
O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\msbb.exe
O4 - HKLM\..\RunServices: [Windows SYStry] systry.exe
O4 - HKLM\..\RunServices: [Windows Explorer] LSAS.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.oecadvantage.net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://download.yaho...alls/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
StartupList report, 1/5/2004, 7:52:27 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Jim Howlett.PAM\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\System32\systry.exe
C:\WINDOWS\System32\LSAS.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Jim Howlett.PAM\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\Userinit.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
PROMon.exe = PROMon.exe
Smapp = C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
Tgcmd = "C:\Program Files\Support.com\bin\tgcmd.exe /server"
UC_SMB =
Lexmark X84-X85 Button Monitor = C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
Lexmark X84-X85 Button Manager = C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
PrinTray = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
Windows SYStry = systry.exe
JAKRICFT = C:\WINDOWS\JAKRICFT.exe
bxxs5 = RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
VFSMGQQUO = C:\WINDOWS\VFSMGQQUO.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe = SBC Yahoo! Connection Manager
eanth_critical_update_alert = C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Windows Explorer = LSAS.exe
SpybotSnD = "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
msbb = C:\WINDOWS\msbb.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows SYStry = systry.exe
Windows Explorer = LSAS.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = %1
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll - {00000762-3965-4A1A-98CE-3D4BF457D4C8}
(no name) - C:\WINDOWS\bxxs5.dll - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job
{5AA12161-7538-48A7-B7D2-7BED49B44D54}_PAM_Matt Howlett.job
{CB02BE89-5B19-4760-9D7E-680AC441458A}_PAM_Jim Howlett.job
--------------------------------------------------
Enumerating Download Program Files:
[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://download.yaho...alls/yab_af.cab
[PhotosCtrl Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\YPhotos.dll
CODEBASE = http://photos.yahoo....plorer1_9us.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
End of report, 6,316 bytes
Report generated in 0.703 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Scan saved at 7:46:45 PM, on 1/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\System32\systry.exe
C:\WINDOWS\System32\LSAS.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Jim Howlett.PAM\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oecadvantage.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oecadvantage.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OEC Advantage
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Windows SYStry] systry.exe
O4 - HKLM\..\Run: [JAKRICFT] C:\WINDOWS\JAKRICFT.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [VFSMGQQUO] C:\WINDOWS\VFSMGQQUO.exe
O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\msbb.exe
O4 - HKLM\..\RunServices: [Windows SYStry] systry.exe
O4 - HKLM\..\RunServices: [Windows Explorer] LSAS.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.oecadvantage.net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://download.yaho...alls/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
StartupList report, 1/5/2004, 7:52:27 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Jim Howlett.PAM\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\System32\systry.exe
C:\WINDOWS\System32\LSAS.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Jim Howlett.PAM\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\Userinit.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
PROMon.exe = PROMon.exe
Smapp = C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
Tgcmd = "C:\Program Files\Support.com\bin\tgcmd.exe /server"
UC_SMB =
Lexmark X84-X85 Button Monitor = C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
Lexmark X84-X85 Button Manager = C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
PrinTray = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
Windows SYStry = systry.exe
JAKRICFT = C:\WINDOWS\JAKRICFT.exe
bxxs5 = RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
VFSMGQQUO = C:\WINDOWS\VFSMGQQUO.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe = SBC Yahoo! Connection Manager
eanth_critical_update_alert = C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Windows Explorer = LSAS.exe
SpybotSnD = "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
msbb = C:\WINDOWS\msbb.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows SYStry = systry.exe
Windows Explorer = LSAS.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = %1
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll - {00000762-3965-4A1A-98CE-3D4BF457D4C8}
(no name) - C:\WINDOWS\bxxs5.dll - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job
{5AA12161-7538-48A7-B7D2-7BED49B44D54}_PAM_Matt Howlett.job
{CB02BE89-5B19-4760-9D7E-680AC441458A}_PAM_Jim Howlett.job
--------------------------------------------------
Enumerating Download Program Files:
[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://download.yaho...alls/yab_af.cab
[PhotosCtrl Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\YPhotos.dll
CODEBASE = http://photos.yahoo....plorer1_9us.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
End of report, 6,316 bytes
Report generated in 0.703 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
#8
Posted 06 January 2004 - 08:32 PM
Restart HiJack This and Fix the following:
C:\WINDOWS\System32\LSAS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O4 - HKLM\..\Run: [Windows SYStry] systry.exe
O4 - HKLM\..\Run: [JAKRICFT] C:\WINDOWS\JAKRICFT.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [VFSMGQQUO] C:\WINDOWS\VFSMGQQUO.exe
O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe
Restart in Safe Mode by pressing F8 while restarting. Search for and delete:
System32\LSAS.exe <- file
systry.exe <- file
LSAS.exe is a worm infection. To prevent in the future, regularly run Windows Update, install and anti-virus program and keep it up-to-date. To be safe you should also run a free virus scan at Trend Micro Housecall service
systry.exe is a nuisance joke program, but can cause your computer to behave strangely. Thank you "friends".
When finished post a new log.
C:\WINDOWS\System32\LSAS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O4 - HKLM\..\Run: [Windows SYStry] systry.exe
O4 - HKLM\..\Run: [JAKRICFT] C:\WINDOWS\JAKRICFT.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [VFSMGQQUO] C:\WINDOWS\VFSMGQQUO.exe
O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe
Restart in Safe Mode by pressing F8 while restarting. Search for and delete:
System32\LSAS.exe <- file
systry.exe <- file
LSAS.exe is a worm infection. To prevent in the future, regularly run Windows Update, install and anti-virus program and keep it up-to-date. To be safe you should also run a free virus scan at Trend Micro Housecall service
systry.exe is a nuisance joke program, but can cause your computer to behave strangely. Thank you "friends".
When finished post a new log.
#9
Posted 12 January 2004 - 07:51 AM
Thanks for helping, you have been a life saver. After I did what you told me I was able to get back on-line. I had to unistall my norton than try and install it again. When I try to my modem will disconnect half way in the middle of the process. I am able to get back on-line now. One other problem, when I tried to search for the two files you suggested, my search won't come up. It says, run setup files missing. Here is the problem I can't find my setup disc. OH NO! what do I do, am i screwed. But thank you for all your help. I was able to download a firewall from zone alaram. Thank You
#10
Posted 12 January 2004 - 08:29 AM
I'm glad we were able to help you get back online and fix the virus problem
If you'd like assistance getting your search to work, please start a new topic (this help to avoid confusion, and also better helps other members that may have the same problem).
If you'd like assistance getting your search to work, please start a new topic (this help to avoid confusion, and also better helps other members that may have the same problem).
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users