Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HiJack Log [RESOLVED]

Started by darkmetal505 , Jul 08 2005 03:36 PM

  • This topic is locked This topic is locked

#1
darkmetal505
Posted 08 July 2005 - 03:36 PM

darkmetal505

    Member

  • Member
  • PipPip
  • 39 posts
here is a HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:31:09 PM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\shimgvw.exe
C:\WINDOWS\System32\j?vaw.exe
C:\WINDOWS\System32\RyjUgX.exe
C:\WINDOWS\System32\Gcj2s6.exe
C:\Program Files\DC++\DCPlusPlus.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\180searchassistant\salm.exe
C:\temp\bundle_cdt1006.exe
C:\WINDOWS\system32\krg7d90b.exe
C:\Documents and Settings\hp pavilion\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10E89D15-5CAD-0376-808C-20404F9BFC9A} - C:\WINDOWS\System32\iow.dll (file missing)
O2 - BHO: (no name) - {10E89F15-5CAD-0376-808C-20404F9BFC9A} - C:\WINDOWS\System32\iow.dll (file missing)
O2 - BHO: (no name) - {11E89F1D-5CD8-777A-80FB-5B4030EEFC96} - C:\WINDOWS\System32\iow.dll (file missing)
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\salmhook.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Windows Search Bar - {A1DD937D-71E1-4BB5-BD5D-1B01B9CB1C2F} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [XjKr6f] C:\windows\temp\XjKr6f.exe
O4 - HKLM\..\Run: [WinDriv32] C:\WINDOWS\system32\WinDriv32.exe
O4 - HKLM\..\Run: [XjKr6f.exe] C:\windows\temp\XjKr6f.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\GivLt51.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKLM\..\Run: [qryvid] C:\WINDOWS\qryvid.exe
O4 - HKLM\..\Run: [krg7d90b] C:\WINDOWS\system32\krg7d90b.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WinDriv32] C:\WINDOWS\system32\WinDriv32.exe
O4 - HKCU\..\Run: [shimgvw] C:\WINDOWS\System32\shimgvw.exe
O4 - HKCU\..\Run: [Ymhnshsz] C:\WINDOWS\System32\j?vaw.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\hp pavilion\Application Data\othb.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c10.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O16 - DPF: {A9DAD15A-365E-494D-9D41-8A0BB80007B0} (ArcticShell control) - http://www.arcticpig...ivex/mayhem.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe


thanks a bunch
  • 0

Advertisements

#2
Buckeye_Sam
Posted 13 July 2005 - 07:58 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hello and welcome to Geeks To Go. My name is Sam and I will be helping you.
Lets start out with some general scans and see if we cant clean things up a little.


+++++ Step 1 +++++

Please download Ewido security suite it is a trial version of the program.
  • Install Ewido security suite
  • Launch Ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
+++++ Step 2 +++++

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)


+++++ Step 3 +++++

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.


If you have recieved help elsewhere or no longer need our assistance, please let us know.

Edited by Buckeye_Sam, 13 July 2005 - 07:59 AM.

  • 0

#3
darkmetal505
Posted 14 July 2005 - 09:23 AM

darkmetal505

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
i actually ran Ad-Aware SE and it seems to have gotten rid of the 180 search assistant bar. Would you still like for me to go ahead and do the steps to search for other infections?

Thanks
  • 0

#4
Buckeye_Sam
Posted 14 July 2005 - 03:08 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your hijackthis this log shows a variety of malware in addition to 180 Search. Adaware would have helped with some of it, but it's doubtful that it cleaned up everything. I would recommend at least posting a new hijackthis log. Then I'll take a look at what's still there and we'll determine the best course of action.
  • 0

#5
darkmetal505
Posted 15 July 2005 - 11:05 AM

darkmetal505

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
here is a new one:

Logfile of HijackThis v1.99.1
Scan saved at 10:57:54 AM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\krg7d90b.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\WINDOWS\System32\shimgvw.exe
C:\WINDOWS\System32\j?vaw.exe
C:\Program Files\ipee\othb.exe
C:\WINDOWS\System32\Gcj2s6.exe
C:\WINDOWS\system32\Yhrt.exe
C:\Documents and Settings\hp pavilion\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10E89D15-5CAD-0376-808C-20404F9BFC9A} - C:\WINDOWS\System32\iow.dll (file missing)
O2 - BHO: (no name) - {10E89F15-5CAD-0376-808C-20404F9BFC9A} - C:\WINDOWS\System32\iow.dll (file missing)
O2 - BHO: (no name) - {11E89F1D-5CD8-777A-80FB-5B4030EEFC96} - C:\WINDOWS\System32\iow.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Windows Search Bar - {A1DD937D-71E1-4BB5-BD5D-1B01B9CB1C2F} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [XjKr6f] C:\windows\temp\XjKr6f.exe
O4 - HKLM\..\Run: [WinDriv32] C:\WINDOWS\system32\WinDriv32.exe
O4 - HKLM\..\Run: [XjKr6f.exe] C:\windows\temp\XjKr6f.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\SYSTEM32\CERHP4.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [qryvid] C:\WINDOWS\qryvid.exe
O4 - HKLM\..\Run: [krg7d90b] C:\WINDOWS\system32\krg7d90b.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WinDriv32] C:\WINDOWS\system32\WinDriv32.exe
O4 - HKCU\..\Run: [shimgvw] C:\WINDOWS\System32\shimgvw.exe
O4 - HKCU\..\Run: [Ymhnshsz] C:\WINDOWS\System32\j?vaw.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c10.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {A9DAD15A-365E-494D-9D41-8A0BB80007B0} (ArcticShell control) - http://www.arcticpig...ivex/mayhem.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Thanks :tazz:
  • 0

#6
Buckeye_Sam
Posted 15 July 2005 - 04:02 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
There's still plenty in your log to deal with I'm afraid. But we'll get you cleaned up.


Please download and install Cleanup 4.0, but don't run it yet.
http://cleanup.stevengould.org/


=========


Please make sure that you can VIEW ALL HIDDEN FILES.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {10E89D15-5CAD-0376-808C-20404F9BFC9A} - C:\WINDOWS\System32\iow.dll (file missing)
O2 - BHO: (no name) - {10E89F15-5CAD-0376-808C-20404F9BFC9A} - C:\WINDOWS\System32\iow.dll (file missing)
O2 - BHO: (no name) - {11E89F1D-5CD8-777A-80FB-5B4030EEFC96} - C:\WINDOWS\System32\iow.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Windows Search Bar - {A1DD937D-71E1-4BB5-BD5D-1B01B9CB1C2F} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
O4 - HKLM\..\Run: [XjKr6f] C:\windows\temp\XjKr6f.exe
O4 - HKLM\..\Run: [WinDriv32] C:\WINDOWS\system32\WinDriv32.exe
O4 - HKLM\..\Run: [XjKr6f.exe] C:\windows\temp\XjKr6f.exe
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\SYSTEM32\CERHP4.EXE
O4 - HKLM\..\Run: [qryvid] C:\WINDOWS\qryvid.exe
O4 - HKLM\..\Run: [krg7d90b] C:\WINDOWS\system32\krg7d90b.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKCU\..\Run: [WinDriv32] C:\WINDOWS\system32\WinDriv32.exe
O4 - HKCU\..\Run: [shimgvw] C:\WINDOWS\System32\shimgvw.exe
O4 - HKCU\..\Run: [Ymhnshsz] C:\WINDOWS\System32\j?vaw.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe


Reboot your computer into SAFE MODE

Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\qryvid.exe
C:\WINDOWS\System32\iow.dll
C:\WINDOWS\system32\WinDriv32.exe
C:\WINDOWS\SYSTEM32\CERHP4.EXE
C:\WINDOWS\system32\krg7d90b.exe
C:\WINDOWS\System32\shimgvw.exe
C:\Program Files\ipee
C:\Program Files\Media Gateway
C:\PROGRAM FILES\WINDOW~4 <-- should be similar to Windows Search Bar


Run CleanUp that you downloaded earlier. This will remove all of your temp files and empty your recycle bin.


Reboot your computer to go back to normal mode.


=========


Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.

dir C:\WINDOWS\System32\j?vaw.exe /a h > files.txt
notepad files.txt


Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here in your next reply.


=========


Please run at least two of these online scans.
Make sure they are set to clean automatically

Panda Virus Scan

Bit Defender

TrendMicro Housecall

There will be files that these scans will not remove. Please include that information in your next post.


Reboot and post a new hijackthis log and the info from your virus scans.

Edited by Buckeye_Sam, 15 July 2005 - 04:03 PM.

  • 0

#7
darkmetal505
Posted 17 July 2005 - 09:27 PM

darkmetal505

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
New HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:16:38 PM, on 7/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LhoK8W3.exe
C:\WINDOWS\system32\Yhrt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\hp pavilion\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\OjqN0Y44.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c10.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A9DAD15A-365E-494D-9D41-8A0BB80007B0} (ArcticShell control) - http://www.arcticpig...ivex/mayhem.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe


Find file bat:

Volume in drive C has no label.
Volume Serial Number is 15E1-7745

Directory of C:\WINDOWS\System32

12/04/2003 02:00 AM 28,768 javaw.exe
07/13/2005 03:00 PM 401,408 j?vaw.exe
2 File(s) 430,176 bytes

Directory of C:\Documents and Settings\hp pavilion\Desktop


Panda Active Scan result:


Incident Status Location

Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\SYSTEM32\OJQN0Y44.EXE
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Yhrt.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\LhoK8W3.exe
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\SYSTEM32\apuc.dll
Adware:adware/netpals No disinfected C:\WINDOWS\SYSTEM32\calsdr.dll
Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1
Adware:adware/wupd No disinfected C:\WINDOWS\SYSTEM32\ide21201.vxd
Adware:adware/browseraid No disinfected C:\WINDOWS\SYSTEM32\inetp60.dll
Adware:adware/ncase No disinfected C:\WINDOWS\SYSTEM32\msbb321.dll
Spyware:spyware/adclicker No disinfected C:\WINDOWS\SYSTEM32\pup.exe
Adware:adware/addestroyer No disinfected C:\WINDOWS\SYSTEM32\SWRT01.dll
Adware:adware/virtualbouncer No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\VBouncerOuter1137040505.EXE
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\alchem.inf
Adware:adware/delfinmedia No disinfected C:\keys.ini
Spyware:spyware/virtumonde No disinfected C:\WINDOWS\dpusys.ini
Adware:adware/sidesearch No disinfected C:\WINDOWS\sepsd.bin
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:adware/sahagent No disinfected C:\WINDOWS\SYSTEM32\SahImages
Adware:adware/esyndicate No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WBCM
Adware:adware/blazefind No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WINDOWS SA
Adware:adware/mywebsearch No disinfected HKEY_CURRENT_USER\SOFTWARE\TOOLBAR
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Adware:adware/statblaster No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MINIGOLF
Spyware:spyware/dyfuca No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\INTERNET OPTIMIZER
Adware:adware/memorywatcher No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\MEMORYWATCHER
Adware:adware/iedriver No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{1A00C40B-DA85-4AA3-A67F-582D9347EECD}
Adware:adware/mediatickets No disinfected HKEY_CLASSES_ROOT\Interface\{00ada225-ea6c-4fb3-82e8-68189201ccb9}
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-10dd1028-6da1911a.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\GetAccess.class-757cc4da-10ea4f87.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\GetAccess.class-7fd63a53-5dac03a0.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\InsecureClassLoader.class-5c4c2e2f-7fa433ff.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-5dce5407-181a5350.zip[a.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-5dce5407-181a5350.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-697e4ecc-1a36f28f.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-697e4ecc-1a36f28f.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-697e4ecc-1a36f28f.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-697e4ecc-1a36f28f.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-5b377964.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-5b377964.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-5b377964.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-5b377964.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6fcf5f78.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6fcf5f78.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6fcf5f78.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-6fcf5f78.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-7a22786b.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-7a22786b.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-7a22786b.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-7a22786b.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-793185eb.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-793185eb.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-793185eb.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-793185eb.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-64269984-4e46fa31.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-64269984-4e46fa31.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-64269984-4e46fa31.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-64269984-4e46fa31.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-66656fc7-42ca01a9.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-66656fc7-42ca01a9.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-66656fc7-42ca01a9.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-5e1a93af-3cdf09ca.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-5e1a93af-3cdf09ca.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-5e1a93af-3cdf09ca.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-5e1a93af-3cdf09ca.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-5e1a96b1-476621f2.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\demo.jar-30f1f1ac-13a31ac7.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\demo.jar-30f1f1ac-13a31ac7.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\demo.jar-30f1f1ac-13a31ac7.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\demo.jar-30f1f1ac-13a31ac7.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\demo.jar-410a8915-35ca072d.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\demo.jar-410a8915-35ca072d.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\demo.jar-410a8915-35ca072d.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\demo.jar-410a8915-35ca072d.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv420.jar-19cdd09a-428adf90.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv420.jar-19cdd09a-428adf90.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv420.jar-19cdd09a-428adf90.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv420.jar-19cdd09a-428adf90.zip[Parser.class]
Adware:Adware/nCase No disinfected C:\Documents and Settings\hp pavilion\Desktop\hijackthis\backups\backup-20050714-103352-320.dll
Adware:Adware/BlazeFind No disinfected C:\Documents and Settings\hp pavilion\Desktop\hijackthis\backups\backup-20050717-113253-733.dll
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\e359hchk.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\biH.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biini.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\polall1r.inf
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\apuc.dll
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Arzhag6.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\AthffaH.exe
Adware:Adware/NetPals No disinfected C:\WINDOWS\system32\atiupdate5.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Azw54.exe
Adware:Adware/NetPals No disinfected C:\WINDOWS\system32\calsdr.dll
Adware:Adware/NetPals No disinfected C:\WINDOWS\system32\calsdr.exe
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050113-191218.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050228-195231.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050601-173012.backup
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\exul.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\GivLt51.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Hcj2s6.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\HraiNO18.exe
Possible Virus. No disinfected C:\WINDOWS\system32\inetp60.dll
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Jls3.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\j?vaw.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\KrwH5f.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\KtrA.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\LhoK8W3.exe
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\system32\lmf32v.dll_tobedeleted
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\MkqjPr5.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\msbb321.dll
Virus:W32/Gaobot.RB.worm Disinfected C:\WINDOWS\system32\Msrv32.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\NipM9X44.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\OfoWP.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\OjqN0Y44.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\PsqfRame.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Pws1B4.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\RodeL8.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Ssa9.exe
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\SWRT01.dll
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\TtsKDJTq.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Ufmmx.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Uvz6.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\WnwEwc.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Wqxd.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Yhrt.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\YtaxJ.exe


Trend Micro Housecall:

Virus Scan 0 virus cleaned, 5 viruses deleted


Results:
We have detected 4 infected file(s) with 5 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 5 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
C:\Documents and Settings\hp pavilion\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-5e1a96b1-476621f2.zip
- BlackBox.class JAVA_BYTEVER.A Deletion successful
- VerifierBug.class JAVA_BYTEVER.A Deletion successful
C:\WINDOWS\system32\Jls3.exe BKDR_SANDBOX.A Deletion successful
C:\WINDOWS\system32\KtrA.exe BKDR_SANDBOX.A Deletion successful
C:\WINDOWS\system32\RodeL8.exe BKDR_SANDBOX.A Deletion successful




Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken




Spyware Check 12 spyware programs removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 12 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 0 spyware(s) passed, 0 spyware(s) no action available
- 12 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
ADW_BADBITOR.A Adware Removal successful
SPYW_WINSB.A Spyware Removal successful
ADW_VERTICITY.A Adware Removal successful
ADW_OVERPRO.A Adware Removal successful
ADW_NETPALS.A Adware Removal successful (Please reboot your machine)
ADW_SIDESEARCH.A Adware Removal successful
SPYW_DYFUCA.L Spyware Removal successful
SPYW_MEDACCESS.A Spyware Removal successful
SPYW_VBOUNCE.B Spyware Removal successful (Please reboot your machine)
ADW_BLAZE.B Adware Removal successful
ADW_BROWSERAID.E Adware Removal successful (Please reboot your machine)
ADW_WINAD.L Adware Removal successful




Microsoft Vulnerability Check 3 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 3 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
Important This remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.;The vulnerability is caused by an unchecked buffer in the Microsoft Office WordPerfect Converter. MS04-027
Critical This vulnerability lies in the way the affected components process JPEG image files. An unchecked buffer within this process is the cause of the vulnerability.;This remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute arbitrary code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes. MS04-028
Important A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said Web site, and is able to control it accordingly. The actions that the attacker could take would depend on the specific content being protected. MS05-004




Hope thats everything. Thanks :tazz:
  • 0

#8
Buckeye_Sam
Posted 18 July 2005 - 04:26 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Yes, that's everything. Thank you! It makes it so much easier to analyze your problems. :tazz:



Download Newuninst.exe
http://www.thatcompu...s/newuninst.exe

Double click on 'Newuninst.exe' and press *Uninstall*. Let it run and when the progress bar says *complete* you can then press *close*. You must be online to have this work and do not block any attempts for the program to connect to internet if your firewall requests access. It will just run and then close.


==========


Fix these lines with Hijackthis.

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\OjqN0Y44.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c10.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -


==========


Delete these files/folders.

C:\WINDOWS\System32\j?vaw.exe <- the ? could represent any character, but this file is around 401kb and was created on 7/13/05.
C:\WINDOWS\dpusys.ini
C:\WINDOWS\sepsd.bin
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\Downloaded Program Files\popcaploader.inf
C:\WINDOWS\Downloaded Program Files\VBouncerOuter1137040505.EXE
C:\WINDOWS\SYSTEM32\SahImages
C:\WINDOWS\e359hchk.exe
C:\WINDOWS\inf\alchem.inf
C:\WINDOWS\inf\biH.inf
C:\WINDOWS\inf\biini.inf
C:\WINDOWS\inf\polall1r.inf
C:\WINDOWS\system32\Arzhag6.exe
C:\WINDOWS\system32\AthffaH.exe
C:\WINDOWS\system32\atiupdate5.exe
C:\WINDOWS\system32\Azw54.exe
C:\WINDOWS\system32\calsdr.dll
C:\WINDOWS\system32\calsdr.exe
C:\WINDOWS\system32\exul.exe
C:\WINDOWS\system32\GivLt51.exe
C:\WINDOWS\system32\Hcj2s6.exe
C:\WINDOWS\system32\HraiNO18.exe
C:\WINDOWS\system32\Jls3.exe
C:\WINDOWS\system32\KrwH5f.exe
C:\WINDOWS\system32\KtrA.exe
C:\WINDOWS\system32\lmf32v.dll_tobedeleted
C:\WINDOWS\system32\MkqjPr5.exe
C:\WINDOWS\system32\Msrv32.exe
C:\WINDOWS\system32\NipM9X44.exe
C:\WINDOWS\system32\OfoWP.exe
C:\WINDOWS\system32\OjqN0Y44.exe
C:\WINDOWS\system32\PsqfRame.exe
C:\WINDOWS\system32\Pws1B4.exe
C:\WINDOWS\system32\RodeL8.exe
C:\WINDOWS\system32\Shex.exe
C:\WINDOWS\system32\Ssa9.exe
C:\WINDOWS\system32\TtsKDJTq.exe
C:\WINDOWS\system32\Ufmmx.exe
C:\WINDOWS\system32\Uvz6.exe
C:\WINDOWS\system32\WnwEwc.exe
C:\WINDOWS\system32\Wqxd.exe
C:\WINDOWS\system32\YtaxJ.exe
C:\WINDOWS\system32\Yhrt.exe
C:\WINDOWS\system32\LhoK8W3.exe
C:\WINDOWS\SYSTEM32\apuc.dll
C:\WINDOWS\SYSTEM32\fiz1
C:\WINDOWS\SYSTEM32\ide21201.vxd
C:\WINDOWS\SYSTEM32\inetp60.dll
C:\WINDOWS\SYSTEM32\msbb321.dll
C:\WINDOWS\SYSTEM32\pup.exe
C:\WINDOWS\SYSTEM32\SWRT01.dll
C:\keys.ini


=========


Please follow these instructions to run Adware.
  • Download, install, update, configure, and run Ad-Aware SE Personal 1.06.
    • Download Ad-Aware SE Personal 1.06:
    • Install Ad-Aware SE Personal 1.06:
      • Double-click on aawsepersonal.exe to install the program.
      • Follow the default settings for installation.
      • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
    • Update Ad-Aware SE Personal 1.06:
      • Double-click the Ad-Aware SE Personal icon on your desktop.
      • Click "Check for updates now" then click "Connect".
      • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
    • Configure Ad-Aware SE Personal 1.06:
      • Click on the Gear button at the top of the window.
      • Click "General" on the left hand side to display the General Settings box.
        • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
        • "Automatically save logfile"
        • "Automatically quarantine objects prior to removal"
        • "Safe Mode (always request confirmation)"
        • "Prompt to update outdated definitions" - change to 7 days from the default 14.
    • Click "Scanning" on the left hand side to display the Scan Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      • "Scan within archives"
      • "Select drives & folders to scan" - select your hard drive(s).
      • "Scan active processes"
      • "Scan registry"
      • "Deep-scan registry"
      • "Scan my IE favorites for banned URLs"
      • "Scan my Hosts file"
    • Click "Advanced" on the left hand side to display the Advanced Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      • "Move deleted files to Recycle Bin"
      • "Include additional object information"
      • "Include negligible objects information"
      • "Include environment information"
    • Click "Defaults" on the left hand side to display the Default Settings box.
      • Make sure these items have your preferred settings in them.:
      • "Default homepage"
      • "Default searchpage"
    • Click "Tweak" on the left hand side to display the Tweak Settings box.
      • Click the + (plus) sign next to the Log Files section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
        • "Include basic Ad-Aware settings in log file"
        • "Include additional Ad-Aware settings in log file"
        • "Include reference summary in log file"
        • "Include alternate data stream details in log file"
      • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
        • "Unload recognized processes & modules during scan"
        • "Scan registry for all users instead of current user only"
        • "Obtain command line of scanned processes"
      • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
        • "Always try to unload modules before deletion"
        • "During removal, unload Explorer and IE if necessary"
        • "Let Windows remove files in use at next reboot"
        • "Delete quarantined objects after restoring"
    • Once you are done with these settings, click "Proceed" to save them.
    • This will take you back to the main screen.
  • Run Ad-Aware SE Personal 1.05:
    • Click the "Start" button.
    • Uncheck the "Search for negligible risk entries" entry.
    • Choose the "Use custom scanning options" scan mode.
    • Click the "Next" button.
    • Ad-Aware will begin to scan for malware residing on your computer.
    • Allow the scan to finish.
    • Right-click on any entry in the list and click "Select All" to select the whole list.
    • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.
Reboot and post a new hijackthis log and we'll see what's left.
  • 0

#9
darkmetal505
Posted 19 July 2005 - 10:35 AM

darkmetal505

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
heres a new HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:33:35 AM, on 7/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\hp pavilion\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A9DAD15A-365E-494D-9D41-8A0BB80007B0} (ArcticShell control) - http://www.arcticpig...ivex/mayhem.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
  • 0

#10
Buckeye_Sam
Posted 19 July 2005 - 02:45 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your log looks clean to me. How does it feel on your end?
Let me know of any problems that you are still having.
  • 0

#11
darkmetal505
Posted 19 July 2005 - 05:43 PM

darkmetal505

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
looks good to me, thanks for all your help :tazz:
  • 0

#12
Buckeye_Sam
Posted 19 July 2005 - 06:39 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
  • 0

#13
Buckeye_Sam
Posted 19 July 2005 - 06:39 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP