Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Quite short hijackthis log.. still need help bad [RESOLVED]


  • This topic is locked This topic is locked

#16
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Well, I have no clue why l2mfix is still running... :tazz:

Run HiJackThis. Place a check next to the following item and click FIX CHECKED:

O4 - HKLM\..\Run: [second] C:\Documents and Settings\Panzerfaust\Desktop\l2mfix\second.bat

Close HiJackThis.

Now, I need you to run a couple of programs to finish cleaning your system up (after that's done, we can remove the optional items from startup for good instead of hiding them in msconfig ;) )

First, download, install, and run CleanUp! (so the scan won't take as long because cleanup will clear temporary files) *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, backup it up or move it to a permanent folder prior to running Cleanup!

Please download Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:
  • Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot into normal mode.

Then, run this scan:
ActiveScan (yes I know you run this periodically, but I need to see the log even if it has been run recently)

Save the results from ActiveScan.

I need you to post the log from Ewido, the log from ActiveScan, and a new HiJackThis log.
  • 0

Advertisements


#17
Valakar

Valakar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Anyhow, rundll32.exe spared me this boot, so it might be fixed.. If I don't hear back from you, thanks a ton for all the help, sorry for making things confusing by hijacking a bunch of stuff before coming here hehe.


EDIT: Ok, doing that stuf you said, one sec :tazz:

Edited by Valakar, 19 June 2005 - 03:21 AM.

  • 0

#18
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
It's going to take a little while so I will look at your logs in a few hours, but right now it's time for bed! (3:30 am :tazz: )
  • 0

#19
Valakar

Valakar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ok, here are my three logs for ya (hope you're still around heh):

Logfile of HijackThis v1.99.1
Scan saved at 3:51:29 PM, on 6/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\hijack\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Panzerfaust\Application Data\Mozilla\Profiles\default\ks780d17.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Panzerfaust\Application Data\Mozilla\Profiles\default\ks780d17.slt\prefs.js)
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092962158602
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral....s/pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://eq2beta.stati.../soesysinfo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5343FBD1-3D11-4377-AE09-739584CEBA05}: NameServer = 24.164.100.230
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8C9F147-69D2-4361-9058-3B55875C40DB}: NameServer = 24.164.100.234
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:59:12 AM, 6/19/2005
+ Report-Checksum: 795E4BB6

+ Date of database: 6/19/2005
+ Version of scan engine: v3.0

+ Duration: 63 min
+ Scanned Files: 170356
+ Speed: 45.01 Files/Second
+ Infected files: 6
+ Removed files: 6
+ Files put in quarantine: 6
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Panzerfaust\Application Data\thtt.exe -> Spyware.PurityScan.w -> Cleaned with backup
C:\FINDnFIX\Files2\un.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\Program Files\softnyx\GunBound\GameGuard\npggNT.des -> Trojan.Lmir.by -> Cleaned with backup
C:\WINDOWS\system\UpdInst.exe -> Spyware.Look2Me.ab -> Cleaned with backup


::Report End



Pandascan:


Incident Status Location

Adware:Adware/BlazeFind No disinfected C:\Program Files\WindowsSB\WinSBUninst.EXE
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\f4l0le3m1h.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\j60slgd7160.dll
  • 0

#20
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
* Please download the Killbox by Option^Explicit.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\Program Files\WindowsSB\WinSBUninst.EXE
C:\WINDOWS\system32\f4l0le3m1h.dll
C:\WINDOWS\system32\j60slgd7160.dll


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any PendingRenameOperations prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, post a new HiJackThis log.
  • 0

#21
Valakar

Valakar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Logfile of HijackThis v1.99.1
Scan saved at 5:09:07 PM, on 6/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and

Settings\Panzerfaust\Application Data\Mozilla\Profiles\default\ks780d17.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5

CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Panzerfaust\Application

Data\Mozilla\Profiles\default\ks780d17.slt\prefs.js)
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.

html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/

cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/

cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02

\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!

\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.

com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com

/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092962158602
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/

pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/

activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://eq2beta.station.sony.com/

beta_reg/soesysinfo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5343FBD1-3D11-4377-AE09-739584CEBA05}: NameServer = 24.164.100.230
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8C9F147-69D2-4361-9058-3B55875C40DB}: NameServer = 24.164.100.234
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl

.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#22
Valakar

Valakar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Just so you know, I'd like to stop everything under "explorer.exe" in that hijackthis log from booting.. I don't necessarily wanna delete it all fully from my system, just don't want it coming on automatically.
  • 0

#23
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
As I said before, once we cleaned your system we can remove the items from startup without disabling them in msconfig and, no, it will not delete them from your system, just keep them from starting when your computer boots.

I will be back as soon as possible.
  • 0

#24
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
It is your computer, so if you would rather disable them in msconfig (even though I don't recommend it) just let me know, because your system is now clean :tazz:
  • 0

#25
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP