Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Freewebs pop-ups.. [RESOLVED]

Started by YunYun23 , Aug 24 2005 03:55 PM

  • This topic is locked This topic is locked

#1
YunYun23
Posted 24 August 2005 - 03:55 PM

YunYun23

    New Member

  • Member
  • Pip
  • 8 posts
Please help!

The problem is there's these freewebs pop-ups that always comes up once I connect to the internet. It's really annoying because it freezes my entire computer and I would have to restart. Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 5:54:08 PM, on 24/08/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\WINDOWS\System32\lsfixss.exe
C:\WINDOWS\System32\jswTss.exe
C:\WINDOWS\System32\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Yun-Yun\Desktop\HijackThis.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [BnCtest] lsfixss.exe
O4 - HKLM\..\Run: [Sonytest] jswTss.exe
O4 - HKLM\..\Run: [Service] ccApp.exe
O4 - HKLM\..\RunServices: [BnCtest] lsfixss.exe
O4 - HKLM\..\RunServices: [Sonytest] jswTss.exe
O4 - HKLM\..\RunServices: [Service] ccApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
  • 0

Advertisements

#2
Kat
Posted 24 August 2005 - 03:59 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#3
YunYun23
Posted 24 August 2005 - 05:42 PM

YunYun23

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you for helping me :tazz: Here's the lastest log:

Logfile of HijackThis v1.99.1
Scan saved at 7:41:20 PM, on 24/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\WINDOWS\System32\lsfixss.exe
C:\WINDOWS\System32\jswTss.exe
C:\WINDOWS\System32\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Yun-Yun\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [BnCtest] lsfixss.exe
O4 - HKLM\..\Run: [Sonytest] jswTss.exe
O4 - HKLM\..\Run: [Service] ccApp.exe
O4 - HKLM\..\RunServices: [BnCtest] lsfixss.exe
O4 - HKLM\..\RunServices: [Sonytest] jswTss.exe
O4 - HKLM\..\RunServices: [Service] ccApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
  • 0

#4
Kat
Posted 24 August 2005 - 05:48 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello and welcome to GeeksToGo! My name is Kat, and I will be helping you get your computer fixed back up and on the go! You should either print these instructions, or save them to a Notepad file on your desktop. Part of the fix may require you to be in Safe Mode, and you will be unable to access the internet at that time!


Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Reboot into SAFE MODE . Do this by repeatedly tapping the F8 key as the computer begins to boot up. You will be taken to a screen where you can use your keyboard "arrow" keys to move the cursor and highlight "Safe Mode", then click the "enter" button.
  • Once in Safe Mode, you are going to run Ewido as follows. It is VERY IMPORTANT that you do not "multi task" while Ewido runs. Please do not open/run ANYTHING else during the scan...this includes all files, programs, folders, games, etc. ONLY have Ewido running.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.



Make a reply here with a copy of the Ewido report, along with a new HijackThis log taken after the Ewido scan, and we'll finish cleani
  • 0

#5
YunYun23
Posted 24 August 2005 - 07:10 PM

YunYun23

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:05:10 PM, 24/08/2005
+ Report-Checksum: BF08BF9E

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{7C559105-9ECF-42b8-B3F7-832E75EDD959} -> Spyware.ISTBar : Ignored
HKLM\SOFTWARE\Classes\ISTx.Installer -> Spyware.ISTBar : Ignored
HKLM\SOFTWARE\Classes\ISTx.Installer\CLSID -> Spyware.ISTBar : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll -> Spyware.ISTBar : Ignored
C:\WINDOWS\system32\lsfixss.exe -> Backdoor.Rbot : Ignored
C:\Documents and Settings\Yun-Yun\Local Settings\Temporary Internet Files\Content.IE5\W23L2R5Z\piks[1].ru -> Trojan.LowZones.bh : Ignored
C:\Documents and Settings\Yun-Yun\Local Settings\Temporary Internet Files\Content.IE5\EOJ2ID5R\pics[1].ru -> Spyware.Hijacker.Generic : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\yun-yun@statcounter[1].txt -> Spyware.Cookie.Statcounter : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\yun-yun@overture[2].txt -> Spyware.Cookie.Overture : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\yun-yun@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\yun-yun@atdmt[2].txt -> Spyware.Cookie.Atdmt : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\yun-yun@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\yun-yun@revenue[1].txt -> Spyware.Cookie.Revenue : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\yun-yun@advertising[1].txt -> Spyware.Cookie.Advertising : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\yun-yun@xxxtoolbar[2].txt -> Spyware.Cookie.Xxxtoolbar : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\yun-yun@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\yun-yun@fastclick[2].txt -> Spyware.Cookie.Fastclick : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\[email protected][1].txt -> Spyware.Cookie.Webtrendslive : Ignored
C:\Documents and Settings\Yun-Yun\Cookies\yun-yun@2o7[2].txt -> Spyware.Cookie.2o7 : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0001488.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0001496.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0003497.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0004496.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0004497.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0005496.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0005497.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0006496.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0006497.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0007496.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0007497.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0008496.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0008497.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0009496.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0009497.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0011496.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0011497.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0012497.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0012498.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0013496.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0013497.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0014499.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0014500.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0015496.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0015497.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0016496.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0016497.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0019496.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0020501.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0020502.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0023510.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0023511.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0023512.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0024494.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0024495.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0027497.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0027498.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0027499.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP5\A0028509.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP5\A0028510.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP5\A0028515.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP5\A0028516.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0034224.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0034225.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0035065.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0035066.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0036065.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0036066.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0037065.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0037066.exe -> Spyware.Hijacker.Generic : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0038066.exe -> Trojan.LowZones.bh : Ignored
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0038067.exe -> Spyware.Hijacker.Generic : Ignored
C:\drivelog.exe -> Spyware.Hijacker.Generic : Ignored
C:\msdc0m.exe -> Trojan.LowZones.bh : Ignored


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 9:08:49 PM, on 24/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\WINDOWS\System32\lsfixss.exe
C:\WINDOWS\System32\jswTss.exe
C:\WINDOWS\System32\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Yun-Yun\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [BnCtest] lsfixss.exe
O4 - HKLM\..\Run: [Sonytest] jswTss.exe
O4 - HKLM\..\Run: [Service] ccApp.exe
O4 - HKLM\..\RunServices: [BnCtest] lsfixss.exe
O4 - HKLM\..\RunServices: [Sonytest] jswTss.exe
O4 - HKLM\..\RunServices: [Service] ccApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
  • 0

#6
Kat
Posted 24 August 2005 - 08:53 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
wow. :tazz: Why didn't you let Ewido clean everything?? We have to do this before I can give you instructions on what to do to finish you up! :)

1. Please download CleanUp! and run it to remove any leftover remnants of infection. Click the CleanUp button, and let it scan and select any files it needs to remove. Once it is done, exit the program.

2. Reboot into Safe Mode, and follow the directions again to run the Ewido scan. This time, be sure to make it clean everything it finds. Save the report again please.

3. Reboot normally and post the new Ewido report, along with another HijackThis log so we can move on to the rest of the fix. :)
  • 0

#7
YunYun23
Posted 24 August 2005 - 10:22 PM

YunYun23

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Oh :tazz: I seem to misread the last step. Sorry!

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:06:58 AM, 25/08/2005
+ Report-Checksum: 35402CAF

+ Scan result:

C:\Documents and Settings\Yun-Yun\Local Settings\Temporary Internet Files\Content.IE5\XHGJ2GWI\piks[1].ru -> Trojan.LowZones.bh : Cleaned with backup
C:\Documents and Settings\Yun-Yun\Cookies\yun-yun@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0001488.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0001496.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0003497.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0004496.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0004497.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0005496.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0005497.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0006496.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0006497.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0007496.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0007497.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0008496.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0008497.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0009496.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0009497.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0011496.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0011497.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0012497.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0012498.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0013496.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0013497.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0014499.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0014500.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0015496.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0015497.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0016496.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0016497.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0019496.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0020501.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0020502.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0023510.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0023511.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0023512.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0024494.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0024495.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0027497.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0027498.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP4\A0027499.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP5\A0028509.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP5\A0028510.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP5\A0028515.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP5\A0028516.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0034224.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0034225.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0035065.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0035066.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0036065.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0036066.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0037065.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0037066.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0038066.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0038067.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0038098.exe -> Trojan.LowZones.bh : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0038099.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E1BE2210-8E1A-4C78-9101-12B73DCE7C6E}\RP6\A0040092.exe -> Backdoor.Rbot : Cleaned with backup
C:\drivelog.exe -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:10:15 AM, on 25/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\WINDOWS\System32\jswTss.exe
C:\WINDOWS\System32\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\Yun-Yun\Desktop\HijackThis.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [Sonytest] jswTss.exe
O4 - HKLM\..\Run: [Service] ccApp.exe
O4 - HKLM\..\RunServices: [Sonytest] jswTss.exe
O4 - HKLM\..\RunServices: [Service] ccApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
  • 0

#8
Kat
Posted 25 August 2005 - 12:54 AM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O4 - HKLM\..\Run: [Sonytest] jswTss.exe
O4 - HKLM\..\RunServices: [Sonytest] jswTss.exe

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please delete these files using Windows Explorer(if present):
jswTss.exe

After that, Reboot.


Please go to Active Scan and run a complete system scan. SAVE the log report from it. Then make a reply here with a copy of the Active Scan report, and a fresh HijackThis log. Also, please let me know how things are running now. :tazz:
  • 0

#9
YunYun23
Posted 25 August 2005 - 04:17 PM

YunYun23

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ahh.. I came empty handed with the report on the scan for these reasons!
1) After waiting an hour, my dad decided to close the window and try to use the computer.
2) After waiting two hours, my computer completely froze. It was barely half way done.

Currently, my computer is free of pop-ups but it is still ridiculiously slow. Now that my McAfee virus scan finally updated, I thought this would be helpful. Everytime I log on it detects the following:
- C:\WINDOWS\System32\ccApp.exe infected by Malware.i (Cannot be cleaned)
- C:\Documents and Settings\Yun-Yun\Local Settings\Temporary Internet Files\Contents.IE5\WDEJ4PQR\pix[1].ru infected by QLowZones-2.gen (Can be cleaned)
- C:\msdC0m.exe infected by QLowZones-2.gen. (Can be cleaned)

And here's the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 6:16:42 PM, on 25/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\WINDOWS\System32\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Yun-Yun\Desktop\HijackThis.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [Service] ccApp.exe
O4 - HKLM\..\RunServices: [Service] ccApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Should I keep trying?
  • 0

#10
Kat
Posted 25 August 2005 - 08:07 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
No, you don't have to run the ActiveScan. McAfee told me what I need to know. :tazz:

1. Please download CleanUp! and run it to remove any leftover remnants of infection. Click the CleanUp button, and let it scan and select any files it needs to remove. Once it is done, exit the program.

2. Open HijackThis and scan for a log. Place a check next to the following only:
O4 - HKLM\..\Run: [Service] ccApp.exe
O4 - HKLM\..\RunServices: [Service] ccApp.exe

Be sure all other windows are closed, and click the "Fix Selected" button.

3. Reboot into Safe Mode, and delete the following files if found:

C:\msdC0m.exe
C:\WINDOWS\System32\ccApp.exe

4. Reboot normally, and post a fresh HijackThis log. Let me know how things are running now. :)
  • 0

#11
YunYun23
Posted 25 August 2005 - 10:51 PM

YunYun23

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Well I've decided to reformat it again and it worked... I think it's alright now. Thank you so much for helping though!! :tazz:
  • 0

#12
Kat
Posted 25 August 2005 - 11:42 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP