Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Check my HiJackThis Log PLEASE! [CLOSED]

Started by Dotman , Jun 22 2005 04:09 PM

This topic is locked

#16
Dotman

Posted 02 July 2005 - 11:36 AM

Member

Topic Starter
Member
11 posts

Ok here, I just did another one. I am not going to restart or anything now, tell me what to do.

Logfile of HijackThis v1.99.1
Scan saved at 1:36:20 PM, on 7/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\ywanqgj.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Documents and Settings\Heather\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.yahoo.com/?.intl=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\system32\o4eu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [usaliat] c:\windows\system32\ywanqgj.exe r
O4 - HKLM\..\RunOnce: [bajmh.exe] C:\WINDOWS\System32\bajmh.exe /k
O4 - HKCU\..\RunOnce: [bajmh.exe] C:\WINDOWS\System32\bajmh.exe /k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119999387283
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

#17
Michelle

Posted 02 July 2005 - 11:43 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Please download Process Explorer from here: http://www.sysintern...ssExplorer.html

Run Process Explorer and find the below Process in the list of Processes.

ywanqgj.exe

Select the process and click Process > Suspend.

Leave Process Explorer running!!

Then run HijackThis click Config (bottom right) > Misc Tools > Delete a file on reboot...
In the explorer Window select the below file:

c:\windows\system32\ywanqgj.exe

When prompted if you want to reboot now click YES
Leave Process explorer running with the process suspended.

Your system will reboot.

After the reboot Run HiJackThis. Place a check next to the following item and click FIX CHECKED

O4 - HKLM\..\Run: [usaliat] c:\windows\system32\ywanqgj.exe r

After "fixing", scan with HiJackThis again and post a new HiJackThis log.

#18
Dotman

Posted 02 July 2005 - 11:53 AM

Member

Topic Starter
Member
11 posts

Logfile of HijackThis v1.99.1
Scan saved at 1:51:48 PM, on 7/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Heather\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.yahoo.com/?.intl=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\system32\o4eu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
O4 - HKLM\..\RunOnce: [bajmh.exe] C:\WINDOWS\System32\bajmh.exe /k
O4 - HKCU\..\RunOnce: [bajmh.exe] C:\WINDOWS\System32\bajmh.exe /k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119999387283
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

#19
Michelle

Posted 02 July 2005 - 11:55 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Perfect!

I will be back as soon as possible with the rest of the fix.

#20
Michelle

Posted 02 July 2005 - 01:25 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Please follow these instructions exactly. I would advise printing them out for use in Safe Mode.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, Download, install, and update Ewido Security Suite

Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

After Nailfix.cmd finishes:

Run Ewido.
Click on scanner
Make sure the following boxes are checked before scanning:
- Binder
- Crypter
- Archives
Click on Start Scan
Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report
Save the report to your desktop
Exit Ewido

After running Ewido, go into this folder:

C:\WINDOWS\Prefetch

Look to see if there is ANY file that has "nail" or "svcproc" in the name. If there is, delete it!!

Next please run HijackThis. Place a check next to the following item and click FIX CHECKED:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close HiJackThis.

Restart your computer in normal mode and please scan with HijackThis again and post the new HiJackThis log, as well as the log from the Ewido scan.

#21
Dotman

Posted 02 July 2005 - 02:56 PM

Member

Topic Starter
Member
11 posts

Ok here is the ewido log then the hijackthis log.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:52:14 PM, 7/2/2005
+ Report-Checksum: 3B28F2BA

+ Date of database: 7/2/2005
+ Version of scan engine: v3.0

+ Duration: 36 min
+ Scanned Files: 31680
+ Speed: 14.35 Files/Second
+ Infected files: 91
+ Removed files: 91
+ Files put in quarantine: 91
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Heather\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@p[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather\Cookies\heather@valueclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather\installer_MARKETING35.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\bsx32\ADTMI1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ADVC5.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ADVCTX2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIB9894.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIC29667.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASID12180.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIE17070.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIF29819.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIF4502.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIFWH29233.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIG21943.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIGT10102.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIH7853.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASII21469.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIL18549.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIOG19375.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIOT25456.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIPF1965.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIR21184.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIRE20082.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIS24110.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIS31590.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIT17011.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIT26116.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIW11211.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIWS3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\BID1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\BingoRoom1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\CARD2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\CARS3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\DATE4.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\EML1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\FAST1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\FINC3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\FINC5.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\FLWR1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\HERBS1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\INK1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\JOBS4.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\MOVS2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\NEWS2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\SHOP2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\TECH2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\UTONE2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\WWW3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\XTFL2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bundles\HelperInstaller.exe -> TrojanDropper.Delf.z -> Cleaned with backup
C:\WINDOWS\bundles\saie1101.exe -> Spyware.180solutions -> Cleaned with backup
C:\WINDOWS\bundles\shopinst.exe -> TrojanDownloader.Small.wj -> Cleaned with backup
C:\WINDOWS\bundles\thin-8-1-x-x.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPXActiveX.ocx -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\EPXActiveX.ocx -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\search3.dll -> Spyware.MegaSearch -> Cleaned with backup
C:\WINDOWS\kxmizmcwap.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\WINDOWS\system32\0br1xh.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\system32\Cache\cxtpls_loader.exe -> Spyware.Apropos.b -> Cleaned with backup
C:\WINDOWS\system32\D0CE0C16B1.DLL -> Spyware.Agent.dh -> Cleaned with backup
C:\WINDOWS\system32\e6f1873b.dll -> TrojanDownloader.Braidupdate.d -> Cleaned with backup
C:\WINDOWS\system32\epx30104.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\epx30105.exe -> TrojanDownloader.Lastad.p -> Cleaned with backup
C:\WINDOWS\system32\in10b6s.dll -> Spyware.404Search.a -> Cleaned with backup
C:\WINDOWS\system32\k404SearchSetup_MS14.exe -> Spyware.404Search.a -> Cleaned with backup
C:\WINDOWS\system32\msshed32.exe -> TrojanDropper.Delf.ev -> Cleaned with backup
C:\WINDOWS\system32\newdevin.exe -> Spyware.BookedSpace.c -> Cleaned with backup
C:\WINDOWS\system32\o4eu.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\system32\SWRT01.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\WINDOWS\system32\tjl1.exe -> TrojanDownloader.Small.xl -> Cleaned with backup
C:\WINDOWS\system32\uvtl.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\WinStat11.dll -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\system32\xemuaeg05.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\xtzzkij.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 4:55:44 PM, on 7/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
c:\windows\system32\gsbllsy.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Documents and Settings\Heather\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.yahoo.com/?.intl=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\system32\o4eu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [hklfnfz] c:\windows\system32\gsbllsy.exe r
O4 - HKLM\..\RunOnce: [bajmh.exe] C:\WINDOWS\System32\bajmh.exe /k
O4 - HKCU\..\RunOnce: [bajmh.exe] C:\WINDOWS\System32\bajmh.exe /k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119999387283
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)

#22
Michelle

Posted 02 July 2005 - 03:24 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Please try to avoid surfing the Internet as much as possible.

Run Process Explorer and find the below Process in the list of Processes.

gsbllsy.exe

Select the process and click Process > Suspend.

Leave Process Explorer running!!

Then run HijackThis click Config (bottom right) > Misc Tools > Delete a file on reboot...
In the explorer Window select the below file:

c:\windows\system32\gsbllsy.exe

When prompted if you want to reboot now click YES
Leave Process explorer running with the process suspended.

Your system will reboot.

After the reboot Run HiJackThis. Place a check next to the following items and click FIX CHECKED

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\system32\o4eu.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [hklfnfz] c:\windows\system32\gsbllsy.exe r
O4 - HKLM\..\RunOnce: [bajmh.exe] C:\WINDOWS\System32\bajmh.exe /k
O4 - HKCU\..\RunOnce: [bajmh.exe] C:\WINDOWS\System32\bajmh.exe /k

O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab

Close HiJackThis.

Using Windows Explorer, Delete the following files/folders, in bold:

C:\WINDOWS\System32\bajmh.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\bsx32 <-Whole Folder
C:\WINDOWS\bundles <-Whole Folder

Reboot, then post a new HiJackThis log.

Edited by bananafanafo, 02 July 2005 - 06:27 PM.

#23
Michelle

Posted 12 July 2005 - 09:51 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.