Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

NiJackThis Log File


  • This topic is locked This topic is locked

#1
abbacohen

abbacohen

    New Member

  • Member
  • Pip
  • 3 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:41:32 PM, on 8/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mcinfo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\abc\My Documents\My Downloads\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {B438BCD5-F298-0AE8-10B1-85197A24A976} - forces_elite.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: verizononline.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D2CB628-8B23-4086-A10E-67132883488A}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{96E1DE7A-1A42-415C-B127-D27AD2E315A6}: NameServer = 195.95.218.18 85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8280E9F-8C61-4B54-A561-B57271A3BD19}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF3EAE75-0CD9-41B5-8884-2D1E019C3D36}: NameServer = 195.95.218.18,85.255.112.11
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome abbacohen to Geeks to Go!

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options"
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Download CWShredder.
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
***

Please download, install, and update the free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT scan yet.
***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Then run HijackThis, click Scan, and place a checkmark by the following item:

R3 - URLSearchHook: (no name) - {B438BCD5-F298-0AE8-10B1-85197A24A976} - forces_elite.dll (file missing)

O1 - Hosts: localhost 127.0.0.1

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5D2CB628-8B23-4086-A10E-67132883488A}: NameServer = 195.95.218.18,85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{96E1DE7A-1A42-415C-B127-D27AD2E315A6}: NameServer = 195.95.218.18 85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{F8280E9F-8C61-4B54-A561-B57271A3BD19}: NameServer = 195.95.218.18,85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{FF3EAE75-0CD9-41B5-8884-2D1E019C3D36}: NameServer = 195.95.218.18,85.255.112.11

Close all open windows except for HijackThis and click Fix Checked.

***

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

***

Next, run Ewido again.
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
***

Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan..
  • 0

#3
abbacohen

abbacohen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:32:09 PM, 9/1/2005
+ Report-Checksum: FE38687F

+ Scan result:

HKU\S-1-5-21-1708537768-1343024091-854245398-1003\Software\WareOut -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-1708537768-1343024091-854245398-1003\Software\WareOut\FirstRun -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-1708537768-1343024091-854245398-1003\Software\WareOut\Options -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-1708537768-1343024091-854245398-1003\Software\WareOut\Registration -> TrojanDownloader.Wareout : Cleaned with backup
C:\Documents and Settings\abc\Cookies\abc@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\System Volume Information\_restore{F99B98BA-2908-4742-928B-B9E7D948C471}\RP1\A0000009.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F99B98BA-2908-4742-928B-B9E7D948C471}\RP2\A0000042.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F99B98BA-2908-4742-928B-B9E7D948C471}\RP2\A0001054.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F99B98BA-2908-4742-928B-B9E7D948C471}\RP2\A0001059.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F99B98BA-2908-4742-928B-B9E7D948C471}\RP2\A0001064.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F99B98BA-2908-4742-928B-B9E7D948C471}\RP2\A0001071.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F99B98BA-2908-4742-928B-B9E7D948C471}\RP2\A0001074.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F99B98BA-2908-4742-928B-B9E7D948C471}\RP2\A0001078.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F99B98BA-2908-4742-928B-B9E7D948C471}\RP2\A0001082.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F99B98BA-2908-4742-928B-B9E7D948C471}\RP2\A0001087.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F99B98BA-2908-4742-928B-B9E7D948C471}\RP3\A0001216.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F99B98BA-2908-4742-928B-B9E7D948C471}\RP3\A0001221.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F99B98BA-2908-4742-928B-B9E7D948C471}\RP3\A0001228.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F99B98BA-2908-4742-928B-B9E7D948C471}\RP3\A0001231.exe -> TrojanDropper.Vidro.u : Cleaned with backup
D:\Documents and Settings\Abba\Cookies\abba@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\Documents and Settings\Abba\Cookies\abba@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
D:\Documents and Settings\Abba\Cookies\abba@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
D:\Documents and Settings\Abba\Cookies\abba@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
D:\Documents and Settings\Abba\Cookies\abba@clickthrough.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
D:\Documents and Settings\Abba\Cookies\abba@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
D:\Documents and Settings\Abba\Cookies\abba@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
D:\Documents and Settings\Abba\Cookies\abba@free.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
D:\Documents and Settings\Abba\Cookies\abba@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
D:\Documents and Settings\Abba\Cookies\abba@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
D:\Documents and Settings\Abba\Cookies\abba@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
D:\Documents and Settings\Abba\Cookies\abba@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
D:\Documents and Settings\Abba\Cookies\abba@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
D:\Documents and Settings\Abba\Cookies\abba@vad.mainentrypoint[1].txt -> Spyware.Cookie.Mainentrypoint : Cleaned with backup
D:\Documents and Settings\Abba\Cookies\abba@xxxtoolbar[2].txt -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
D:\Documents and Settings\Abba\Local Settings\Temp\p2psetup.exe -> Spyware.P2PNetworking : Cleaned with backup
:mozilla.6:D:\Documents and Settings\Adina.ABBA-51FA455A43\Application Data\Mozilla\Profiles\default\rycq26p5.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.7:D:\Documents and Settings\Adina.ABBA-51FA455A43\Application Data\Mozilla\Profiles\default\rycq26p5.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.14:D:\Documents and Settings\Adina.ABBA-51FA455A43\Application Data\Mozilla\Profiles\default\rycq26p5.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.15:D:\Documents and Settings\Adina.ABBA-51FA455A43\Application Data\Mozilla\Profiles\default\rycq26p5.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.16:D:\Documents and Settings\Adina.ABBA-51FA455A43\Application Data\Mozilla\Profiles\default\rycq26p5.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.17:D:\Documents and Settings\Adina.ABBA-51FA455A43\Application Data\Mozilla\Profiles\default\rycq26p5.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.18:D:\Documents and Settings\Adina.ABBA-51FA455A43\Application Data\Mozilla\Profiles\default\rycq26p5.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@as-eu.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@bs.serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@clickagents[1].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@counter2.hitslink[2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@hlwd.valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@pro-market[2].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@targetnet[1].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@valueclick[3].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
D:\Documents and Settings\Adina.ABBA-51FA455A43\Cookies\adina@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
D:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
D:\Program Files\NewDotNet\newdotnet6_38.dll -> Spyware.NewDotNet : Cleaned with backup
D:\Program Files\NewDotNet\uninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
D:\Program Files\Warez P2P Client\My Shared Folder\power_remove.exe -> TrojanDownloader.IstBar.gi : Cleaned with backup
D:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll -> TrojanDownloader.WebP2PInstaller : Cleaned with backup
D:\WINDOWS\NDNuninstall4_85.exe -> Spyware.NewDotNet : Cleaned with backup
D:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup


::Report End
  • 0

#4
abbacohen

abbacohen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Logfile of HijackThis v1.99.1
Scan saved at 12:22:26 AM, on 9/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\abc\My Documents\My Downloads\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: verizononline.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{96E1DE7A-1A42-415C-B127-D27AD2E315A6}: NameServer = 195.95.218.18 85.255.112.11
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
  • 0

#5
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Download the Hoster Here

Unzip Hoster to your desktop

Open up the Hoster program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program
***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O17 - HKLM\System\CCS\Services\Tcpip\..\{96E1DE7A-1A42-415C-B127-D27AD2E315A6}: NameServer = 195.95.218.18 85.255.112.11

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Use Windows Explorer to remove these folders:
D:\Program Files\NewDotNet\
D:\Program Files\AWS\

***

Reboot the computer.

Is the computer running ok?
If so, shall I post you some tips for the future and close this topic?



EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 10 September 2005 - 11:16 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP