Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

My hijack this log

Started by Caper555 , May 19 2005 04:51 AM

  • Please log in to reply

#1
Caper555
Posted 19 May 2005 - 04:51 AM

Caper555

    Member

  • Member
  • PipPip
  • 12 posts
Logfile of HijackThis v1.99.1
Scan saved at 7:52:56 AM, on 5/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\system32\W?nSxS\spoolsv.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\Logitech\WINGMA~1\Lwpevntm.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zwshpmksj...R0kMD1AoWm.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nascar.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nascar.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1730D6E9-523F-64CE-03B2-16AADAC1C4FD} - C:\WINDOWS\system32\jfynt.dll (file missing)
O2 - BHO: (no name) - {221DE6E9-7F0C-51FA-2E82-2687EAF1E9CD} - C:\WINDOWS\system32\jfynt.dll (file missing)
O2 - BHO: (no name) - {4DD93071-BE1A-24C6-D106-175578852911} - C:\WINDOWS\system32\dfmk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {C6970E7D-A00B-4C02-A604-013F92540FF8} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {D378EB18-24FE-565D-8F9C-70A2A9A568C6} - C:\WINDOWS\system32\egyfgaw.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [Lwinst Run Profiler] C:\PROGRA~1\Logitech\WINGMA~1\Lwinst.exe -d -l "C:\PROGRA~1\Logitech\WINGMA~1\Lwpevntm.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [G6h4yCaU] C:\documents and settings\administrator\local settings\temp\G6h4yCaU.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [7U8M] C:\documents and settings\administrator\local settings\temp\7U8M.exe
O4 - HKCU\..\Run: [Wyjr] C:\WINDOWS\system32\W?nSxS\spoolsv.exe
O4 - HKCU\..\Run: [platformwin] C:\DOCUME~1\ADMINI~1\APPLIC~1\BITSNU~1\traybash.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28177.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED7AD1B4-A86A-4C35-B8B9-A907A139A260}: NameServer = 142.177.1.2 142.177.129.11
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Thank you
Caper
  • 0

Advertisements

#2
Wizard
Posted 20 May 2005 - 04:18 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi Caper555 and Welcome to G2G!!

Download AdAware SE:
http://www.lavasoft....nstallation.htm

1. Close ALL windows and start Ad-Aware SE.
2. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
3. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
1. In the ‘General’ window make sure the following are selected in green:
1. Under Safety:
* Automatically save log-file
2. Automatically quarantine objects prior to removal
3. Safe Mode (always request confirmation)
2. Under Definitions:
* Prompt to update outdated definitions - set the number of days
4. Click on the ‘Scanning’ button on the left and select in green:
1. Under Driver, Folders & Files:
* Scan Within Archives
2. Under Select drives & folders to scan:
* choose all hard drives
3. Under Memory & Registry: all green
* Scan Active Processes
* Scan Registry
* Deep Scan Registry
* Scan my IE favorites for banned URL’s
* Scan my Hosts file
5. Click on the ‘Advanced’ button on the left and select in green:
1. Under Shell Integration:
* Move deleted files to recycle bin
2. Under Logfile Detail Level: all green
* include addtional object information
* DESELECT - include negligible objects information
* include environment information
3. Under Alternate Data Streams:
* Don't log streams smaller than 0 bytes
* Don't log ADS with the following names: CA_INOCULATEIT
6. Click the ‘Tweak’ button and select in green:
1. Under ‘Scanning Engine’:
* Unload recognized processes during scanning
* Scan registry for all users instead of current user only
2. Under ‘Cleaning Engine’:
* Let Windows remove files in use at next reboot
3. Under Log Files:
* Include basic Ad-aware SE settings in logfile
* Include additional Ad-aware SE settings in logfile
* Please do not check: Include Module list in logfile
7. Click on ‘Proceed’ to save the settings.
8. Click ‘Start’
9. Choose 'Perform Full System Scan'
10. DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
11. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
12. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
13. Save the log file when it asks and then click ‘Finish’

Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet!

Ewido Security Suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main ewido screen, click on update in the left menu, then click the Start update button.

After the update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems Updating see here:
http://www.ewido.net...wnload/updates/

Once Downloaded and Updated,Restart in Safe Mode and Scan with Ewido!!

Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Both of the Scans will take a bit of time to complete but its worth the wait!

While you are waiting,Click Start>>My Computer>>Local Disk C:>>Windows Folder>>System32 Folder

Once the System32 Folder is Open,Look and tell me how many folders you have that are spelled like this or very similar to this:

WinSxS

Once the Scans are completed,Have the PC scaned here:
http://www.pandasoft...n_principal.htm

Save the Report it generates and post it here along with the Ewido log and a fresh HijackThis log!

Edited by Cretemonster, 20 May 2005 - 04:19 AM.

  • 0

#3
Caper555
Posted 21 May 2005 - 08:10 AM

Caper555

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
OK I have done it all.....

Looking for the WinSxs There is one in the windows folder and one on the system32 folder and a wins in the system32 folder.

Here are the hijack this, panda and ewido.

Thanks for your help

Panda
Incident Status Location

Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrator\Application Data\bitsnurbfour\List coal bike balm.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrator\Application Data\bitsnurbfour\Mfcdtickdoes.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrator\Application Data\bitsnurbfour\rpiyhylm.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrator\Application Data\bitsnurbfour\traybash.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\kjxizxxe.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\16proceqford\MIX SIGN.exe
Adware:Adware/Lop No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\77E10B83-4841-4F84-967F-461897\1321E8F5-321B-4237-BCC2-4877D2
Adware:Adware/SideSearch No disinfected C:\WINDOWS\sepsd.bin
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\iezset.exe
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\kyf.dat
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\system32\msiaih.dll
Ewido
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:03:09 AM, 5/21/2005
+ Report-Checksum: ED428B53

+ Date of database: 5/21/2005
+ Version of scan engine: v3.0

+ Duration: 44 min
+ Scanned Files: 78625
+ Speed: 29.16 Files/Second
+ Infected files: 4
+ Removed files: 4
+ Files put in quarantine: 4
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Administrator\Cookies\administrator@mysearchnow[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\lbbho.dll -> Spyware.Neon.a -> Cleaned with backup
C:\WINDOWS\system32\mscjjn.dll -> Spyware.180solutions -> Cleaned with backup
C:\WINDOWS\system32\WіnSxS\spoolsv.exe -> Spyware.PurityScan.bf -> Cleaned with backup


::Report End

and Hijack this
Logfile of HijackThis v1.99.1
Scan saved at 11:12:43 AM, on 5/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\Logitech\WINGMA~1\Lwpevntm.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pxcxvychtivcx...R0kMD1AoWm.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nascar.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nascar.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1730D6E9-523F-64CE-03B2-16AADAC1C4FD} - C:\WINDOWS\system32\jfynt.dll (file missing)
O2 - BHO: (no name) - {221DE6E9-7F0C-51FA-2E82-2687EAF1E9CD} - C:\WINDOWS\system32\jfynt.dll (file missing)
O2 - BHO: (no name) - {4DD93071-BE1A-24C6-D106-175578852911} - C:\WINDOWS\system32\dfmk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {C6970E7D-A00B-4C02-A604-013F92540FF8} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: (no name) - {D378EB18-24FE-565D-8F9C-70A2A9A568C6} - C:\WINDOWS\system32\egyfgaw.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [Lwinst Run Profiler] C:\PROGRA~1\Logitech\WINGMA~1\Lwinst.exe -d -l "C:\PROGRA~1\Logitech\WINGMA~1\Lwpevntm.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [G6h4yCaU] C:\documents and settings\administrator\local settings\temp\G6h4yCaU.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [7U8M] C:\documents and settings\administrator\local settings\temp\7U8M.exe
O4 - HKCU\..\Run: [platformwin] C:\DOCUME~1\ADMINI~1\APPLIC~1\BITSNU~1\traybash.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28177.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED7AD1B4-A86A-4C35-B8B9-A907A139A260}: NameServer = 142.177.1.2 142.177.129.11
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#4
Wizard
Posted 21 May 2005 - 01:15 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Excellent Information!!

The WinSxS in the Windows locationis legit,the one in the System32 Folder is not!

The wins Folder in the System32 Folder is legit!

You can Remove Ewido when ever you like,we are finished using it!

Please Download CleanUp! 4.0
http://downloads.ste...p/CleanUp40.exe

Please Download CCleaner
http://www.filehippo...d_ccleaner.html

Please DO NOT run these yet!

Reboot into SAFE MODE(Tap F8 when restarting)

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that
http://www.bleepingc...showtutorial=62

Please Locate and Delete these

C:\WINDOWS\lbbho.dll<< Verify that it was deleted by Ewido!

C:\WINDOWS\system32\mscjjn.dll<< Verify that it was deleted by Ewido!

C:\WINDOWS\system32\WіnSxS\spoolsv.exe<< Verify that it was deleted by Ewido!

C:\WINDOWS\sepsd.bin<< File Only

C:\WINDOWS\system32\iezset.exe<< File Only

C:\WINDOWS\system32\kyf.dat<< File Only

C:\WINDOWS\system32\msiaih.dll<< File Only

C:\WINDOWS\system32\WіnSxS<< Folder Only in the System32 location!

C:\Documents and Settings\Administrator\Application Data\bitsnurbfour<< Folder!

C:\Documents and Settings\All Users\Application Data\16proceqford<< Folder!

C:\Documents and Settings\All Users\Application Data\BITSNU~1<< Folder! Umsure of Exact Name but figure it will be obvious!

C:\Documents and Settings\Administrator\Local Settings\Temp<< Open this Folder and Delete everything that is inside it!

Please Make Note of any files not found or that could not be deleted and include that information in the next post!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pxcxvychtivcx...R0kMD1AoWm.html

O2 - BHO: (no name) - {1730D6E9-523F-64CE-03B2-16AADAC1C4FD} - C:\WINDOWS\system32\jfynt.dll (file missing)

O2 - BHO: (no name) - {221DE6E9-7F0C-51FA-2E82-2687EAF1E9CD} - C:\WINDOWS\system32\jfynt.dll (file missing)

O2 - BHO: (no name) - {4DD93071-BE1A-24C6-D106-175578852911} - C:\WINDOWS\system32\dfmk.dll (file missing)

O2 - BHO: C:\WINDOWS\lbbho.dll - {C6970E7D-A00B-4C02-A604-013F92540FF8} - C:\WINDOWS\lbbho.dll (file missing)

O2 - BHO: (no name) - {D378EB18-24FE-565D-8F9C-70A2A9A568C6} - C:\WINDOWS\system32\egyfgaw.dll (file missing)

O4 - HKLM\..\Run: [G6h4yCaU] C:\documents and settings\administrator\local settings\temp\G6h4yCaU.exe


O4 - HKLM\..\Run: [7U8M] C:\documents and settings\administrator\local settings\temp\7U8M.exe

O4 - HKCU\..\Run: [platformwin] C:\DOCUME~1\ADMINI~1\APPLIC~1\BITSNU~1\traybash.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Open and Run CCleaner>Click "Run Cleaner" and let it do its thing!


Open and Run Cleanup!>Click "Cleanup">Let it Scan for Temporary File>Click "Close">Click "Yes" to Log Off>Once Logged Off>Restart the PC in [b]Normal Mode!

Once Back in Normal Mode,Scan the PC with HijackThis again and Post those Results!
  • 0

#5
Caper555
Posted 21 May 2005 - 04:18 PM

Caper555

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
It is looking good... I have not had any pop ups and the favorites I had that I couldn't get rid of are gone.

Here is my new hijack this log.

There was only file that I couldn't find to delete
C:\Documents and Settings\All Users\Application Data\BITSNU~1<< Folder! Umsure of Exact Name but figure it will be obvious!
There was nothing there that even looked close to that.

Thank you so much for your help, you are a genious.


Caper

Logfile of HijackThis v1.99.1
Scan saved at 7:19:05 PM, on 5/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\Logitech\WINGMA~1\Lwpevntm.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nascar.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nascar.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=24.222.137.230:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [Lwinst Run Profiler] C:\PROGRA~1\Logitech\WINGMA~1\Lwinst.exe -d -l "C:\PROGRA~1\Logitech\WINGMA~1\Lwpevntm.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28177.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by Caper555, 21 May 2005 - 04:20 PM.

  • 0

#6
Wizard
Posted 21 May 2005 - 05:55 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Thats last log looks fine and thanks to your Homepage setting,I dont miss the race tonight!!! TY!!!!!!!!! ;)

Disable System Restore
http://service1.syma...src=sec_doc_nam

Restart the PC and then renable it!

This will flush out all old Restore Points!

Install these 2 programs>Both links have an explanation of what each program does and how to keep them up to date!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

IE Spyad:
http://www.bleepingc...showtutorial=53
There is a direct download inside and great tutorial also!

Because I dont see a Firewall installed and dont trust the Windows Firewall>Have a look at this link

Sygate Personal Firewall:
http://smb.sygate.co...pf_standard.htm

Next in line are 3 links>I recommend reading each just for the knowledge!

http://forums.thetec...read.php?t=4544

http://www.pcstats.c...?articleID=1579

http://forums.thetec...read.php?t=8859

Glad to hear that the PC is being more friendly>Maybe some of these programs and a little more knowledge will help keep it that way!!!

Looks like Bumper Cars at Charlotte! :tazz:

Any other Questions?

Edited by Cretemonster, 21 May 2005 - 06:01 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP