Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijack log here [RESOLVED]


  • This topic is locked This topic is locked

#1
inite

inite

    Member

  • Member
  • PipPipPip
  • 409 posts
Went to spidercrack for some key regens and contracted tons of virus. I tried removing alot, and doing a system restore, hope that helped, but to be safe, i did a hikjack log.

Hosts: 213.219.251.78<-- there are alot of these, is it unsafe? I dont remember my previous logs with items like these =/


Logfile of HijackThis v1.99.1
Scan saved at 8:07:43 PM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Inite\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O1 - Hosts: 213.219.251.78 www.google.com
O1 - Hosts: 213.219.251.78 google.com
O1 - Hosts: 213.219.251.78 www.google.co.uk
O1 - Hosts: 213.219.251.78 google.co.uk
O1 - Hosts: 213.219.251.78 www.google.ca
O1 - Hosts: 213.219.251.78 google.ca
O1 - Hosts: 213.219.251.78 www.google.es
O1 - Hosts: 213.219.251.78 google.es
O1 - Hosts: 213.219.251.78 www.google.de
O1 - Hosts: 213.219.251.78 google.de
O1 - Hosts: 213.219.251.78 www.google.fr
O1 - Hosts: 213.219.251.78 google.fr
O1 - Hosts: 213.219.251.78 www.google.com.au
O1 - Hosts: 213.219.251.78 google.com.au
O1 - Hosts: 213.219.251.79 www.yahoo.com
O1 - Hosts: 213.219.251.79 yahoo.com
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 213.219.251.80 www.msn.com
O1 - Hosts: 213.219.251.80 msn.com
O1 - Hosts: 213.219.251.80 search.msn.com
O1 - Hosts: 213.219.251.80 www.search.msn.com
O1 - Hosts: 213.219.251.80 go.com
O1 - Hosts: 213.219.251.80 www.go.com
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117052785713
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
inite

inite

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 409 posts
any quick help? i've gtg soon =/
  • 0

#3
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi inite,

Since you have done a system restore, the infection would have been addressed to a large extent.

I need you to do two things (this might take some time) -


1. Download Hoster.zip and save it on your desktop. Unzip the files from Hoster.zip and save them on the desktop too.

Run Hoster.exe. Click on "Restore Original Hosts".

2. Please visit Panda and do an online scan. This will tell us if any infection is still lurking on your PC.

Reboot the PC and post back a fresh HJT log along with Panda scan report
  • 0

#4
inite

inite

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 409 posts
Hi

Ya, i thought i would be safe as well with the system restore, but soon after the reboot, theres one virus alert named "180 saver (i believe)" and theres one attached to c:\windows.exe so i was worried as an infection in there i believe would prevent me from getting a boot to desktop.

will post back in a while with the results
  • 0

#5
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Dont rush the things. Take your time.

Lets deal with the stuff comprehensively.

Post back when you are done with the two steps :tazz:
  • 0

#6
inite

inite

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 409 posts
seems like i need to download active x to scan through panda. Is there a good location i can download active x?


Edit : trying to rush abit =p I've gtg for close to 24 hours probably and my comp would be running all the while. Im afriad details might divulged to third parties like credit card number, game logins, account logins, etc

Edited by inite, 08 July 2005 - 08:49 AM.

  • 0

#7
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Or try this -

http://uk.trendmicro...call_launch.php
  • 0

#8
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
I am not sure what your requirements are, but if you dont need to be connecetd to the net, then disconnect from the net !!!!! If you have DSL / cable then switch off the modem and / or remove the cord connecting the modem and the PC !!!
  • 0

#9
inite

inite

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 409 posts
i've to use the net unfortunately =/

Anyway, i got the panda working, and right now it has 16 infected files with 1/4 way through. Should i just clean up when its done scanning or do i post back here before i clean(remove) those infected files?

Im afriad one of the virus attaches itself to files like my bootup disk, preventing me from access to the desktop.
  • 0

#10
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Let it clean any files it can
  • 0

Advertisements


#11
inite

inite

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 409 posts
ok heres the result.

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch
Adware:Adware/nCase No disinfected C:\WINDOWS\Downloaded Program Files\clientax.dll
Adware:Adware/SAHAgent No disinfected C:\DOCUME~1\Inite\LOCALS~1\Temp\umqltg4cl_.exe
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\azebar.xml
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\system32\P2P Networking
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\screen.html
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Idol Web Axis Sign\castshow.exe
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Inite\Local Settings\Temp\GCV2PVOV.dll
Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Inite\Local Settings\Temp\hfbl.exe
Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Inite\Local Settings\Temp\kdli.exe
Adware:Adware/nCase No disinfected C:\Documents and Settings\Inite\Local Settings\Temp\res62C.tmp
Adware:Adware/nCase No disinfected C:\Documents and Settings\Inite\Local Settings\Temp\res6A9.tmp
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Inite\Local Settings\Temp\umqltg4cl_.exe
Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Inite\Local Settings\Temporary Internet Files\Content.IE5\OZI18CKT\dd[1].exe
Adware:Adware/WinAD No disinfected C:\Documents and Settings\Inite\Local Settings\Temporary Internet Files\Content.IE5\Q96LWXKZ\180[1].exe
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\1.bin\S42NS.EXE
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
Adware:Adware/WUpd No disinfected C:\temp\MediaGateway.exe
Virus:Trojan Horse Disinfected C:\unzipped\OnlyerPack\showcdkey.zip[showcdkey.exe]
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\Downloaded Program Files\azesearch.inf
Adware:Adware/nCase No disinfected C:\WINDOWS\Downloaded Program Files\ClientAX.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\Downloaded Program Files\clientax.inf
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\screen.html
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\azebar.xml
Adware:Adware/MyWay No disinfected D:\backups\backup-20050114-084237-477.dll
Adware:Adware/RelatedLinks No disinfected D:\backups\backup-20050114-084237-819.dll
Adware:Adware/P2PNetworking No disinfected D:\backups\backup-20050114-084237-948.dll
Virus:Bck/IRCFlood.V Disinfected D:\mIRC\Desktop\Invision\Stdio.dll
Virus:Bck/IRCFlood.V Disinfected D:\mIRC\Invision\Stdio.dll
Virus:Trojan Horse Disinfected D:\unzipped\OnlyerPack.zip[showcdkey.zip][showcdkey.exe]
Virus:Trojan Horse Disinfected D:\unzipped\showcdkey\showcdkey.exe
Virus:Trj/Downloader.CZR Disinfected Local Folders\Inbox\Captured..\[Pictures.zip][pics.scr]





Heres my hijack file :




Logfile of HijackThis v1.99.1
Scan saved at 12:18:59 AM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
D:\Diablo II\Diablo II.exe
C:\Documents and Settings\Inite\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117052785713
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#12
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi inite,

Please download - CleanUp - and save it on your desktop.

Please reboot the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

To enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
  • Now your computer is configured to show all hidden files.
Locate and delete the following files -

C:\Program Files\MySearch < ------- Full Folder
C:\WINDOWS\system32\P2P Networking <------- all files and one folder by this name

C:\WINDOWS\system32\azebar.xml
C:\WINDOWS\system32\azebar.xml
C:\WINDOWS\screen.html
C:\WINDOWS\Downloaded Program Files\azesearch.inf
C:\WINDOWS\Downloaded Program Files\ClientAX.dll
C:\WINDOWS\Downloaded Program Files\clientax.inf
C:\WINDOWS\screen.html
C:\WINDOWS\Downloaded Program Files\clientax.dll
C:\Documents and Settings\All Users\Application Data\Idol Web Axis Sign\castshow.exe
C:\temp\MediaGateway.exe
C:\unzipped\OnlyerPack\showcdkey.zip


Run CleanUp and delete all temp files including temporary internet files.

Reboot the PC and post a fresh HJT log here

Edited by tampabelle, 08 July 2005 - 10:54 AM.

  • 0

#13
inite

inite

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 409 posts
Posted Image


Is this normal? It seems like a big file and im afriad to reboot comp lest i cant get on to the desktop cos it deleted my main bootup files. Seems really huge.
  • 0

#14
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi inite,

Most of the files deleted are temp files !!!!!!!

I dont see any problem with any of the files deleted.

Please proceed with the rest of the fix.

Complete the fix and post a fresh HJT log here
  • 0

#15
inite

inite

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 409 posts
ok thx, just being wary. Will post back in a while. thx for prompt response
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP