yieldmanager frustration :) [CLOSED] - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works
Page 1 of 1

yieldmanager frustration :) [CLOSED]

#1 laza_burnz

  • Group: Member
  • Posts: 4
  • Joined: 06-August 05

Posted 06 August 2005 - 04:34 AM

hi there..
getting a bit frustrated here
i have been getting ads from yieldmanager popping up, started off rarely nw almost constantly

I have run
adaware
cwshredder
spybot s&d
trend housecall
avg
trojanhunter
al with the latest updates
there are no updates from microsoft
I have rebooted
my hijackthis logfile says

Logfile of HijackThis v1.99.1
Scan saved at 8:25:59 PM, on 6/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\csrss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\Explorer.EXE
C:\WINDOWS.000\system32\LEXBCES.EXE
C:\WINDOWS.000\system32\spoolsv.exe
C:\WINDOWS.000\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
C:\WINDOWS.000\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\eoim\swma.exe
C:\WINDOWS.000\System32\??rss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS.000\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = vic.bigpond.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS.000\system\dla\tfswshx.dll
O2 - BHO: (no name) - {960D4F4D-A1AE-D505-D90E-8BADD8BB22C3} - C:\WINDOWS.000\System32\mtixtrx.dll
O2 - BHO: (no name) - {9F0D4F4A-A1AE-D571-D978-8EADAECE22B1} - C:\WINDOWS.000\System32\mtixtrx.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LXBLKsk] C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.000\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Hnrr] C:\Program Files\eoim\swma.exe
O4 - HKCU\..\Run: [Khx] C:\WINDOWS.000\System32\??rss.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122471977570
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://allslots.mic...ots/FlashAX.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS.000\system32\LEXBCES.EXE

please help me :tazz:
thanks

#2 Excal

  • Group: Retired Staff
  • Posts: 12,739
  • Joined: 17-April 05

Posted 10 August 2005 - 05:30 PM

Hi laza_burnz and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

:tazz:

Excal

#3 laza_burnz

  • Group: Member
  • Posts: 4
  • Joined: 06-August 05

Posted 11 August 2005 - 11:40 PM

not to worry mate Im sure youre busy :tazz:
heres my latest hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 3:38:34 PM, on 12/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\csrss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\Explorer.EXE
C:\WINDOWS.000\system32\LEXBCES.EXE
C:\WINDOWS.000\system32\spoolsv.exe
C:\WINDOWS.000\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
C:\WINDOWS.000\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\eoim\swma.exe
C:\WINDOWS.000\System32\??rss.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\system32\wdfmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS.000\System32\alg.exe
C:\WINDOWS.000\system32\wuauclt.exe
C:\WINDOWS.000\system32\wuauclt.exe
C:\WINDOWS.000\System32\wbem\wmiprvse.exe
C:\hjt\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS.000\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = vic.bigpond.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS.000\system\dla\tfswshx.dll
O2 - BHO: (no name) - {960D4F4D-A1AE-D505-D90E-8BADD8BB22C3} - C:\WINDOWS.000\System32\mtixtrx.dll
O2 - BHO: (no name) - {9F0D4F4A-A1AE-D571-D978-8EADAECE22B1} - C:\WINDOWS.000\System32\mtixtrx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LXBLKsk] C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.000\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Hnrr] C:\Program Files\eoim\swma.exe
O4 - HKCU\..\Run: [Khx] C:\WINDOWS.000\System32\??rss.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/s...an/pestscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://allslots.mic...ots/FlashAX.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS.000\system32\LEXBCES.EXE

#4 Excal

  • Group: Retired Staff
  • Posts: 12,739
  • Joined: 17-April 05

Posted 11 August 2005 - 11:44 PM

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

Quote

dir C:\WINDOWS.000\System32\??rss.exe /a h > files.txt
notepad files.txt


Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.


Thanks,


Excal

#5 laza_burnz

  • Group: Member
  • Posts: 4
  • Joined: 06-August 05

Posted 12 August 2005 - 02:05 AM

here is that txt file anf the hjt log


Volume in drive C is LOCAL
Volume Serial Number is 2566-1AE0

Directory of C:\WINDOWS.000\System32

22/07/2005 12:00 AM 401,408 ??rss.exe
04/08/2004 05:56 PM 6,144 csrss.exe
2 File(s) 407,552 bytes

Directory of C:\Documents and Settings\davies\Desktop

Logfile of HijackThis v1.99.1
Scan saved at 6:04:41 PM, on 12/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\csrss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\Explorer.EXE
C:\WINDOWS.000\system32\LEXBCES.EXE
C:\WINDOWS.000\system32\spoolsv.exe
C:\WINDOWS.000\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
C:\WINDOWS.000\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\eoim\swma.exe
C:\WINDOWS.000\System32\??rss.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\system32\wdfmgr.exe
C:\WINDOWS.000\System32\alg.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS.000\system32\wuauclt.exe
C:\WINDOWS.000\system32\wuauclt.exe
C:\WINDOWS.000\System32\wbem\wmiprvse.exe
C:\hjt\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS.000\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = vic.bigpond.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS.000\system\dla\tfswshx.dll
O2 - BHO: (no name) - {960D4F4D-A1AE-D505-D90E-8BADD8BB22C3} - C:\WINDOWS.000\System32\mtixtrx.dll
O2 - BHO: (no name) - {9F0D4F4A-A1AE-D571-D978-8EADAECE22B1} - C:\WINDOWS.000\System32\mtixtrx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LXBLKsk] C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.000\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Hnrr] C:\Program Files\eoim\swma.exe
O4 - HKCU\..\Run: [Khx] C:\WINDOWS.000\System32\??rss.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/s...an/pestscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://allslots.mic...ots/FlashAX.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS.000\system32\LEXBCES.EXE

#6 Excal

  • Group: Retired Staff
  • Posts: 12,739
  • Joined: 17-April 05

Posted 12 August 2005 - 02:17 AM

Hi laza_burnz,


DOWNLOAD PROGRAMS

Download and install CleanUp! Here
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Open up and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

5. Close all browsers, windows and unneeded programs.

6. Open HiJack and do a scan.

7. Put a Check next to the following items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS.000\SYSTEM\blank.htm
O2 - BHO: (no name) - {960D4F4D-A1AE-D505-D90E-8BADD8BB22C3} - C:\WINDOWS.000\System32\mtixtrx.dll
O2 - BHO: (no name) - {9F0D4F4A-A1AE-D571-D978-8EADAECE22B1} - C:\WINDOWS.000\System32\mtixtrx.dll
O4 - HKCU\..\Run: [Hnrr] C:\Program Files\eoim\swma.exe
O4 - HKCU\..\Run: [Khx] C:\WINDOWS.000\System32\??rss.exe

8. click the Fix Checked box

9. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\eoim

10. Please remove just the files from the following paths using Windows Explorer (if present):


This is very important on this next file. There are two of these in your System32 folder ensure that your delete the one that created on 22/07/2005 and is 401,408 bytes in size. Right click on it and go to properties to see this information.

C:\WINDOWS.000\System32\csrss.exe

11. Run the program CleanUp!

12. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

13. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.

#7 laza_burnz

  • Group: Member
  • Posts: 4
  • Joined: 06-August 05

Posted 13 August 2005 - 08:07 AM

ok.. after a loooooong time scanning here are my logs
(also there was only one csrss.exe file that I could find and the date and size didnt match so I leftt it alone)

ewido report
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:07:20 PM, 13/08/2005
+ Report-Checksum: ECB2D060

+ Scan result:

C:\Documents and Settings\davies\Local Settings\Temporary Internet Files\Content.IE5\KXMRK56B\!update-2295[1].0000 -> TrojanDownloader.PurityScan.aa : Cleaned with backup
C:\Documents and Settings\davies\Cookies\davies@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\davies\Cookies\davies@e-2dj6wjkocgdpkgo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\davies\Cookies\davies@e-2dj6wjk4kidzklo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\davies\Cookies\davies@e-2dj6wjmislazcaq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\davies\Cookies\davies@e-2dj6wfkigmczkdo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\davies\Cookies\davies@e-2dj6wfk4oodzglp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.13:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.19:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.46:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.47:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.49:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.50:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.51:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.52:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.53:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.55:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.56:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.58:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.67:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.68:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.69:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.72:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.73:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.74:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.78:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.79:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.80:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.81:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.82:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.83:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.84:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.85:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.86:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.87:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.88:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.89:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.90:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.91:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.92:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.97:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.98:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.100:C:\Documents and Settings\davies\Application Data\Mozilla\Firefox\Profiles\n8obj78w.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup


::Report End

hjt log

Logfile of HijackThis v1.99.1
Scan saved at 12:05:54 AM, on 14/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\csrss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\Explorer.EXE
C:\WINDOWS.000\system32\LEXBCES.EXE
C:\WINDOWS.000\system32\spoolsv.exe
C:\WINDOWS.000\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS.000\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS.000\System32\svchost.exe
C:\WINDOWS.000\system32\wdfmgr.exe
C:\WINDOWS.000\System32\alg.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = vic.bigpond.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS.000\system\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LXBLKsk] C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.000\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/s...an/pestscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://allslots.mic...ots/FlashAX.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS.000\system32\LEXBCES.EXE

and when I tried activescan it worked for a while, found 1 spyware and then suddenly IE and the scan window closed.....
apart from that the original problem now seems to have dissapeared but I am using firefox to be safe

#8 Excal

  • Group: Retired Staff
  • Posts: 12,739
  • Joined: 17-April 05

Posted 13 August 2005 - 10:32 AM

This online scanner is not as good as active scan, but it will work on fire fox.


http://uk.trendmicro-europe.com/enterprise...call_launch.php



Everything looks really good though ;)

:tazz:

Excal

#9 Excal

  • Group: Retired Staff
  • Posts: 12,739
  • Joined: 17-April 05

Posted 29 August 2005 - 10:59 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this topic:


Page 1 of 1 (Please log in, or register to add a reply.)