Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My HijackThis log [RESOLVED]


  • This topic is locked This topic is locked

#16
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Violin,

Sorry about the delay, i had an unexpected medical problem.

Please open Ewido and update it. Then Close it down.

Reboot into Safe Mode by tapping the F8 key whilst your PC restarts.

Run Ewido and carry out a full scan and save the log.

Rescan with HJT and check all of the

O18 - Protocol hijack: entries

Ensure no windows open except HJT and click fix checked

using windows explorer find the following file and delete it

C:\WINDOWS\system32\in10b6.dll

reboot pc normally and carry out this free online scan

F-secure

Download this free registry program, install it and click on RegscrubXP finds problems. At the end of scan select all then click fix selected problems

regscrub

rescan with HJT and post the log back, together with the ewido and f-secure scan results.

Edited by usetobe, 10 July 2005 - 03:09 AM.

  • 0

Advertisements


#17
violin

violin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thank you very much Lord usetobe

I cant find C:\WINDOWS\system32\in10b6.dll ,I'm not sure it still living in my HDD by changed named or not

This is my lastest HijackThis ,ewido logs and F-secure result

Logfile of HijackThis v1.99.1
Scan saved at 1:22:31, on 2005/07/11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\BACKUP C\Program\Kill trojan\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
D:\BACKUP C\Program\Kill trojan\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: PopupBlockerBHO.CPopupBlockerBHO - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\ja\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: FlashGet - C:\BACKUP C\Downloads\Program\FlashGet\jc_link.htm
O8 - Extra context menu item: FlashGet - C:\BACKUP C\Downloads\Program\FlashGet\jc_all.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://www.nexon.co....Public/nxpm.cab
O16 - DPF: {33E7E377-FA07-4228-93A6-8A340B768140} (Nexon Package Manager Control (Jp)) - http://www.nexon.co....blic/nxpmjp.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119888241025
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabino...JP.2005.2.2.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Protocol hijack: file - FILE>{79
C
-
9-
1 - 82
00
0

}
O18 - Protocol hijack: ftp - >IT{PH9NMHBIH9-1HTMG8I82-H0NMH0IHW90H}
O18 - Protocol hijack: http - {7PHANMH5-HW{PH11GE-8{PH-00HAIH4{PH0M}
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: lid - >IT13H1N0H9IH3-4HTMGAIT4-H4NMH7IHW8PH}
O18 - Protocol hijack: mk - {7IT{PHEN-HAIH-11HT-GCI2-0HAN0H4IH90P}
O18 - Protocol hijack: res - >I050H3NMH9IH5-1HTMGBI82-H0NMH0IHW{0H}
O18 - Protocol hijack: tv - {HBIH08PH-MG4I-11H2-MHDIH00PH4MGBIT6P}
O18 - Protocol hijack: wia - >I3{3HANMH9IH7-4H0MGAI76-H2NMHAIHW{PH}
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\BACKUP C\Program\Kill trojan\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 20:33:48, 2005/07/10
+ Report-Checksum: 8BA4DD93

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\HyperbarSS3.DLL -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{C4AC1481-6C39-433E-BD39-2A05FBF45BA7} -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2F6F5329-6B57-4D2D-B6AB-662793AEB986} -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{39CDE95F-7466-463A-81DE-CA0CDD7F6687} -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E895F3C1-632E-4AFF-8DED-3FFCB2A3D096} -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FB3A747D-A8BA-45FB-8196-1D442668796C} -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Hyperbar.NavHelperSearchHook -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Hyperbar.NavHelperSearchHook\CLSID -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Hyperbar.NavHelperSearchHook\CurVer -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Hyperbar.NavHelperService -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Hyperbar.NavHelperService\CLSID -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Hyperbar.NavHelperService\CurVer -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Hyperbar.NavHlpSHFactory -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Hyperbar.NavHlpSHFactory\CLSID -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Hyperbar.NavHlpSHFactory\CurVer -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Hyperbar.PropSheetHandler -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Hyperbar.PropSheetHandler\CLSID -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Hyperbar.PropSheetHandler\CurVer -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{05C3780D-3A0C-485A-B3CF-3AF35061C8C1} -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4682934D-BFCE-4647-9E61-3D95BD163B6C} -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D639D99D-2377-46B5-81A5-BD91B61C61B0} -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{C4AC1481-6C39-433E-BD39-2A05FBF45BA7} -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKU\S-1-5-21-1659004503-1580818891-1060284298-1003\Software\Igor V. Gunko -> Spyware.HyperBar : Cleaned with backup
C:\WINDOWS\system32\in10b6.dll -> Adware.eZula : Cleaned with backup
::Report End


F-secure

Finished: 4 viruses found

Scanned files: 178420 Warning: 4 file(s) still infected!


D:\BACKUP C\Program\Kill trojan\backups\backup-20050403-023022-216.dll Trojan.Win32.StartPage.qr

D:\BACKUP C\Program\Kill trojan\backups\backup-20050403-023153-877.dll Trojan.Win32.StartPage.qr

D:\BACKUP C\Program\Kill trojan\backups\backup-20050403-023731-856.dll Trojan.Win32.StartPage.qr

D:\BACKUP C\Program\Kill trojan\backups\backup-20050403-023821-797.dll Trojan.Win32.StartPage.qr


Thank you very much
  • 0

#18
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Download about:buster by RubbeRDuckY HERE
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Set PC to show hidden files (click link if you do not know how)LINK

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

Now scan with HJT and check the following entries

O18 - Protocol hijack: file - FILE>{79
C
-
9-
1 - 82
00
0

}
O18 - Protocol hijack: ftp - >IT{PH9NMHBIH9-1HTMG8I82-H0NMH0IHW90H}
O18 - Protocol hijack: http - {7PHANMH5-HW{PH11GE-8{PH-00HAIH4{PH0M}
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: lid - >IT13H1N0H9IH3-4HTMGAIT4-H4NMH7IHW8PH}
O18 - Protocol hijack: mk - {7IT{PHEN-HAIH-11HT-GCI2-0HAN0H4IH90P}
O18 - Protocol hijack: res - >I050H3NMH9IH5-1HTMGBI82-H0NMH0IHW{0H}
O18 - Protocol hijack: tv - {HBIH08PH-MG4I-11H2-MHDIH00PH4MGBIT6P}
O18 - Protocol hijack: wia - >I3{3HANMH9IH7-4H0MGAI76-H2NMHAIHW{PH}


Ensure no windows open except HJT and click FIX CHECKED.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

Now run Ewido. click on the Scanner button, Select drives if you have more than one and then start.

grab a cup of coffee, sandwiches, book as this may take some time. Once the first problem is detected ensure you tick the box for all (bottom left) and allow it to continue.

At the end of the scan, it may ask if you would like to delete anything found in archive or zipped files, OK that request, then click on save report. SAVE to the default location, it will then generate a text file. Copy that to post in this thread.

Carry out another HJT scan and post the log back here
  • 0

#19
violin

violin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
To Lord usetobe

I have a problem about about:buster by RubbeRDuckY program. when I click at AboutBuster.exe, dialog box with following message will show

Corrupt Database
The database is either corrupted or missing. Please download a new one.

...I try to download many time but can not use it or get update, I'm not sure I got all files of this program? my about:buster by RubbeRDuckY program file size is 33.6kb when zip and 99.4kb after unzip

Thank you very much

Edited by violin, 13 July 2005 - 11:58 PM.

  • 0

#20
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Click this link to see if you can download it from another location

Click here
  • 0

#21
violin

violin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
To Lord usetobe

My about:buster by RubbeRDuckY that I get from everywhere is still not work, now I think..problem is my PC not a program. or I must update it in safe mode with internet connection?

Thank you very much
  • 0

#22
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Violin,

Ok FOR NOW LEAVE OUT THE ABOUT.BUSTER PART AND CARRY OUT THE REST OF THE PROCEDURE
  • 0

#23
violin

violin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Very sorry Lord usetobe for late reply

This is my SpSeHjfix,ewido and HijackThis logs

SpSeHjfix log

Virus Scan No virus detected

Results:
We have detected 0 infected file(s) with 0 virus(es) on your computer. Only 0 out of 0 infected files are displayed.
Detected File Associated Virus Name

Trojan/Worm Check No worm/Trojan horse detected

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed.
Trojan/Worm Name Trojan/Worm Type

Spyware Check No spyware program detected

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 0 spyware(s) on your computer. Only 0 out of 0 spywares are displayed.
Spyware Name Spyware Type

Microsoft Vulnerability Check No vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 0 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:08:30, 2005/07/18
+ Report-Checksum: 543798B0

+ Scan result:

No infected objects found.


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 12:09:28, on 2005/07/18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\BACKUP C\Program\Kill trojan\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
D:\BACKUP C\Program\Kill trojan\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: PopupBlockerBHO.CPopupBlockerBHO - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN ツールバー - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\ja\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: FlashGetでダウンロード - C:\BACKUP C\Downloads\Program\FlashGet\jc_link.htm
O8 - Extra context menu item: FlashGetで全てダウンロード - C:\BACKUP C\Downloads\Program\FlashGet\jc_all.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://www.nexon.co....Public/nxpm.cab
O16 - DPF: {33E7E377-FA07-4228-93A6-8A340B768140} (Nexon Package Manager Control (Jp)) - http://www.nexon.co....blic/nxpmjp.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119888241025
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabino...JP.2005.2.2.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Protocol hijack: file - FILE>{79
C
-
9-
1 - 82
00
0

}
O18 - Protocol hijack: ftp - >IT{PH9NMHBIH9-1HTMG8I82-H0NMH0IHW90H}
O18 - Protocol hijack: http - {7PHANMH5-HW{PH11GE-8{PH-00HAIH4{PH0M}
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: lid - >IT13H1N0H9IH3-4HTMGAIT4-H4NMH7IHW8PH}
O18 - Protocol hijack: mk - {7IT{PHEN-HAIH-11HT-GCI2-0HAN0H4IH90P}
O18 - Protocol hijack: res - >I050H3NMH9IH5-1HTMGBI82-H0NMH0IHW{0H}
O18 - Protocol hijack: tv - {HBIH08PH-MG4I-11H2-MHDIH00PH4MGBIT6P}
O18 - Protocol hijack: wia - >I3{3HANMH9IH7-4H0MGAI76-H2NMHAIHW{PH}
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\BACKUP C\Program\Kill trojan\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


Thank you very much
  • 0

#24
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Please carry out another Panda Acive scan

ActiveScan - Save the results from the scan
  • 0

#25
violin

violin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
very sorry Lord usetobe for my late reply

this is my ActiveScan log

Incident Status Location
Adware:Adware/MediaTickets No disinfected WindowsRegistry

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\satmat.inf

Adware:Adware/PopCapLoader No disinfected D:\BACKUP C\Program\Kill trojan\backups\backup-20050403-020802-117.inf

Adware:Adware/SearchExe.gen No disinfected D:\BACKUP C\Program\Kill trojan\backups\backup-20050403-023022-216.dll

Adware:Adware/SearchExe.gen No disinfected D:\BACKUP C\Program\Kill trojan\backups\backup-20050403-023153-877.dll

Adware:Adware/SearchExe.gen No disinfected D:\BACKUP C\Program\Kill trojan\backups\backup-20050403-023731-856.dll

Adware:Adware/SearchExe.gen No disinfected D:\BACKUP C\Program\Kill trojan\backups\backup-20050403-023821-797.dll

Adware:Adware/PopCapLoader No disinfected D:\BACKUP C\Program\Kill trojan\backups\backup-20050627-180205-641.inf


Thank you very much

Edited by violin, 22 July 2005 - 01:32 AM.

  • 0

Advertisements


#26
Guest_usetobe_*

Guest_usetobe_*
  • Guest
please open Notepad, and copy/paste all the code in the box below into a new text file. Save it as FixReg.reg and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\file]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\file]
@="file:, local: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ftp]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ftp]
@="ftp: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e3-baf9-11ce-8c82-00aa004ba90b}"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http]
@="http: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e2-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http\0x00000001]
@="Microsoft OLE DB Moniker Binder for Internet Publishing"
"CLSID"="{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http\oledb]
"CLSID"="{E1D2BF40-A96B-11d1-9C6B-0000F875AC61}"
@="Microsoft OLE DB Provider for Internet Publishing"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\lid]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\mk]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\mk]
@="mk: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e6-baf9-11ce-8c82-00aa004ba90b}"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\res]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\res]
"CLSID"="{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tv]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tv]
@="TV: Pluggable Protocol"
"CLSID"="{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wia]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wia]
@="wia: Asychronous Pluggable Protocol Handler for WIA devices"
"CLSID"="{13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}"


Please reboot in safe mode again and locate FixReg.reg and double-click on it.

After that please reboot and post a new log.
  • 0

#27
violin

violin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
This is my newest ActiveScan log after run FixReg.reg in save mode and restart normal and scan with ActiveScan

Incident Status Location

Adware:Adware/MediaTickets No disinfected Windows Registry
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\satmat.inf
Adware:Adware/PopCapLoader No disinfected D:\BACKUP C\Program\Kill trojan\backups\backup-20050403-020802-117.inf
Adware:Adware/SearchExe.gen No disinfected D:\BACKUP C\Program\Kill trojan\backups\backup-20050403-023022-216.dll
Adware:Adware/SearchExe.gen No disinfected D:\BACKUP C\Program\Kill trojan\backups\backup-20050403-023153-877.dll
Adware:Adware/SearchExe.gen No disinfected D:\BACKUP C\Program\Kill trojan\backups\backup-20050403-023731-856.dll
Adware:Adware/SearchExe.gen No disinfected D:\BACKUP C\Program\Kill trojan\backups\backup-20050403-023821-797.dll
Adware:Adware/PopCapLoader No disinfected D:\BACKUP C\Program\Kill trojan\backups\backup-20050627-180205-641.inf

Thank you very much
  • 0

#28
Guest_usetobe_*

Guest_usetobe_*
  • Guest
New Hijackthis log please
  • 0

#29
violin

violin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
very sorry Lord usetobe for my late reply

This is my newest HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 15:10:36, on 2005/07/25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\BACKUP C\Program\Kill trojan\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
D:\BACKUP C\Program\Kill trojan\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: PopupBlockerBHO.CPopupBlockerBHO - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN ツールバー - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\ja\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: FlashGetでダウンロード - C:\BACKUP C\Downloads\Program\FlashGet\jc_link.htm
O8 - Extra context menu item: FlashGetで全てダウンロード - C:\BACKUP C\Downloads\Program\FlashGet\jc_all.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://www.nexon.co....Public/nxpm.cab
O16 - DPF: {33E7E377-FA07-4228-93A6-8A340B768140} (Nexon Package Manager Control (Jp)) - http://www.nexon.co....blic/nxpmjp.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119888241025
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabino...JP.2005.2.2.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\BACKUP C\Program\Kill trojan\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


Thank you very much
  • 0

#30
Guest_usetobe_*

Guest_usetobe_*
  • Guest
please open Notepad, and copy/paste all the code in the box below into a new text file. Save it as FixReg1.reg and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\its]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\its]
@="its: Asychronous Pluggable Protocol Handler"
"CLSID"="{9D148291-B9C8-11D0-A4CC-0000F80149F6}"

Please reboot in safe mode again and locate FixReg1.reg and double-click on it.

Now rescan with HJT and check the following entries if they exist:

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}


Ensure no windows open except HJT and click fix checked.

Now reboot normally, rescan with HJT and post the log back
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP