Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Overall malware issues [CLOSED]

Started by thatbirdguy , Jul 04 2005 09:20 AM

  • This topic is locked This topic is locked

#1
thatbirdguy
Posted 04 July 2005 - 09:20 AM

thatbirdguy

    New Member

  • Member
  • Pip
  • 1 posts
Hi folks. I just switched over to a different computer at work, and somehow the coworker who used to use it managed to get it full of various adware/spyware. I have ran CWShredder, as well as Microsoft anti-spyware, and Spybot. Spybot removed ~50 of the issues it found, but could not fix the rest as they were in memory (however due to the nature of how this system is set up, it was not possible for spybot to run at the next restart, retarding the process.)

As it is now, I am having problems with internet explorer, particularly something keeps changing the default homepage, and imbedding links in webpages (ie: links that say "Lots of Shemale Galleries" etc). Needless to say this is quite an annoyance. Any help you can give with this is appreciated. Hijackthis log is below.

Logfile of HijackThis v1.99.1
Scan saved at 12:40:30 PM, on 04/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\msxct.exe
C:\WINNT\system32\97d77fai.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Documents and Settings\michael bird.APCA\Desktop\HijackThis.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=543
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=543
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Parks Canada
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {2559D0B1-AF60-4BD5-965D-0E51383A6367} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {88274B18-D989-D57B-D81A-8E1D876219C2} - (no file)
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINNT\pumba3.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Search Toolbar - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINNT\pumba3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DjMQ] C:\WINNT\vembcymc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [hirytix] C:\WINNT\hirytix.exe
O4 - HKLM\..\Run: [¢‰¸ï0/4Ã}¥À<‡5_C:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\vembcymc.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [YCAIXAu] C:\WINNT\fbghhyqp.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [ozslkvqn] C:\WINNT\ozslkvqn.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [97d77fai] C:\WINNT\system32\97d77fai.exe
O4 - HKLM\..\Run: [RfuteAbS1] C:\WINNT\fbghhyqp.exe
O4 - HKLM\..\Run: [be6B] C:\WINNT\fbghhyqp.exe
O4 - HKLM\..\Run: [W40QZE] C:\WINNT\fbghhyqp.exe
O4 - HKLM\..\Run: [hGdwr4Dc] C:\WINNT\fbghhyqp.exe
O4 - HKLM\..\Run: [h$@ùõš/‚²95ßPÏvbþyC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\fbghhyqp.exe
O4 - HKLM\..\Run: [u8e7JTcU] C:\WINNT\fbghhyqp.exe
O4 - HKLM\..\Run: [cCJPhe] C:\WINNT\fbghhyqp.exe
O4 - HKLM\..\Run: [BLMM9Y70] C:\WINNT\fbghhyqp.exe
O4 - HKLM\..\Run: [UMyl] C:\WINNT\fbghhyqp.exe
O4 - HKLM\..\Run: [tFDcG2a] C:\WINNT\fbghhyqp.exe
O4 - HKLM\..\Run: [E8WEIgCT] C:\WINNT\fbghhyqp.exe
O4 - HKLM\..\Run: [Wauoo] C:\WINNT\fbghhyqp.exe
O4 - HKLM\..\Run: [fN3c] C:\WINNT\fbghhyqp.exe
O4 - HKLM\..\Run: [pPFxsGi] C:\WINNT\fbghhyqp.exe
O4 - HKLM\..\Run: [S10vAe] C:\WINNT\fbghhyqp.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.sonnerie.net
O15 - Trusted Zone: *.winsearchassistant.com
O15 - Trusted Zone: *.winsearchupdate.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = apca.gc.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = apca.gc.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = apca.gc.ca,pch.gc.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = apca.gc.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = apca.gc.ca,pch.gc.ca
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = apca.gc.ca,pch.gc.ca
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - c:\winnt\system32\DWRCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
  • 0

Advertisements

#2
don77
Posted 09 July 2005 - 08:13 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Wow that is pretty nasty.
Seeing it has been a few days sense you posted this log,
Could you post a fresh one please,

Along with a uninstall list
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • You can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into this topic please,
If you have resolved these issues if you would kindly let us know

Thanks
Don
  • 0

#3
don77
Posted 04 August 2005 - 09:38 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP