Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijackthis log - ASAP for client plz [CLOSED]


  • This topic is locked This topic is locked

#1
x3100

x3100

    New Member

  • Member
  • Pip
  • 1 posts
Pretty sure the ones in red need to be removed, but I'm not 100% as I'm still trying to learn to use hijackthis. Nothing has been deleted until verified/corrected.

Logfile of HijackThis v1.99.1
Scan saved at 2:51:23 PM, on 10/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\Explorer.exe
d:\windows\system32\ftpdcau.exe
E:\AntiVir\AVWIN.EXE
E:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe

F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,,SKEYS /I
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - D:\WINDOWS\dsr.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - D:\WINDOWS\system32\vvpuitut.dll
O4 - HKLM\..\Run: [CAPDPSRV] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CAPDPSRV.EXE
O4 - HKLM\..\Run: [MooQ6Xm7X] D:\documents and settings\niki\local settings\temp\MooQ6Xm7X.exe
O4 - HKLM\..\Run: [0nHfA] D:\WINDOWS\flkbu.exe
O4 - HKLM\..\Run: [09*]M*aaaYD:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\flkbu.exe
O4 - HKLM\..\Run: [09**aaaYD:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\flkbu.exe
O4 - HKLM\..\Run: [09*aaaY_D:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\flkbu.exe
O4 - HKLM\..\Run: [09*aaaaYD:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\flkbu.exe
O4 - HKLM\..\Run: [4bM] C:\windows\4bM.exe
O4 - HKLM\..\Run: [Wq] C:\windows\Wq.exe
O4 - HKLM\..\Run: [a8BhOLZ] D:\documents and settings\tia\local settings\temp\a8BhOLZ.exe
O4 - HKLM\..\Run: [NRh] D:\documents and settings\tia\local settings\temp\NRh.exe
O4 - HKLM\..\Run: [G] C:\windows\G.exe
O4 - HKLM\..\Run: [R3O] C:\windows\R3O.exe

O4 - HKLM\..\Run: [Wtlloqf] C:\Program Files\Zlqbbt\Kpnuwk.exe
O4 - HKLM\..\Run: [TizzleTalk] D:\Program Files\TizzleTalk\TizzleTalk.exe
O4 - HKLM\..\Run: [IMGrabber2] D:\WINDOWS\system32\IMGrabber2.exe UI
O4 - HKLM\..\Run: [checkrun] D:\windows\system32\elitedfo32.exe
O4 - HKLM\..\Run: [C50RdCVjP] D:\windows\system32\C50RdCVjP.exe
O4 - HKLM\..\Run: [WinNite] D:\WINDOWS\sxconfig.exe
O4 - HKLM\..\Run: [WNMP System] WNMPS.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
O4 - HKLM\..\Run: [BlahDefyBall32] D:\Documents and Settings\All Users\Application Data\blue creative blah defy\creative owns.exe
O4 - HKLM\..\Run: [Dinst] D:\WINDOWS\dinst.exe

O4 - HKLM\..\Run: [lanbrup] D:\WINDOWS\system32\lanbrup.exe
O4 - HKLM\..\Run: [Sysnet] D:\DOCUME~1\PHONIC~1\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [System service62] D:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [bindatadalesoftware] D:\Documents and Settings\All Users\Application Data\amen name bin data\PartWindow.exe
O4 - HKLM\..\Run: [lsass] D:\windows\system32\elitexzn32.exe
O4 - HKLM\..\Run: [System service65] D:\WINDOWS\etb\pokapoka66.exe
O4 - HKLM\..\Run: [System service66] D:\WINDOWS\etb\pokapoka66.exe
O4 - HKLM\..\Run: [System service67] D:\WINDOWS\\etb\pokapoka67.exe

O4 - HKLM\..\Run: [uqetrre] D:\WINDOWS\uqetrre.EXE
O4 - HKLM\..\Run: [System service68] D:\WINDOWS\\etb\pokapoka68.exe
O4 - HKLM\..\Run: [System service69] D:\WINDOWS\\etb\pokapoka69.exe
O4 - HKLM\..\Run: [System service70] D:\WINDOWS\etb\pokapoka70.exe

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [biopvsa] d:\windows\system32\ftpdcau.exe r
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo...thv32_EN_XP.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.c...ureUploader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.33/ttinst.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - AppInit_DLLs: repairs.dll
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download Nailfix Utility at http://www.noidea.us...050711214630636 Save it to your desktop. Do NOT run it yet.

Download dsrfix.zip http://www.atribune....oads/dsrfix.zip and save it to your desktop. Unzip the dsrfix.zip contents to your desktop. This will create a new folder on your desktop named dsrfix. Do NOT open that folder yet.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, double click on nailfix.exe.
Click 'Next' in the setup, then make sure 'Run Nailfix' is checked and click 'Finish'.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,,SKEYS /I
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - D:\WINDOWS\dsr.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - D:\WINDOWS\system32\vvpuitut.dll
O4 - HKLM\..\Run: [MooQ6Xm7X] D:\documents and settings\niki\local settings\temp\MooQ6Xm7X.exe
O4 - HKLM\..\Run: [0nHfA] D:\WINDOWS\flkbu.exe
O4 - HKLM\..\Run: [09*]M*ažaaYD:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\flkbu.exe
O4 - HKLM\..\Run: [09**ažaaYD:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\flkbu.exe
O4 - HKLM\..\Run: [09*ažaaY_D:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\flkbu.exe
O4 - HKLM\..\Run: [09*ažažaaYD:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\flkbu.exe
O4 - HKLM\..\Run: [4bM] C:\windows\4bM.exe
O4 - HKLM\..\Run: [Wq] C:\windows\Wq.exe
O4 - HKLM\..\Run: [a8BhOLZ] D:\documents and settings\tia\local settings\temp\a8BhOLZ.exe
O4 - HKLM\..\Run: [NRh] D:\documents and settings\tia\local settings\temp\NRh.exe
O4 - HKLM\..\Run: [G] C:\windows\G.exe
O4 - HKLM\..\Run: [R3O] C:\windows\R3O.exe
O4 - HKLM\..\Run: [Wtlloqf] C:\Program Files\Zlqbbt\Kpnuwk.exe
O4 - HKLM\..\Run: [checkrun] D:\windows\system32\elitedfo32.exe
O4 - HKLM\..\Run: [C50RdCVjP] D:\windows\system32\C50RdCVjP.exe
O4 - HKLM\..\Run: [WinNite] D:\WINDOWS\sxconfig.exe
O4 - HKLM\..\Run: [WNMP System] WNMPS.EXE
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
O4 - HKLM\..\Run: [BlahDefyBall32] D:\Documents and Settings\All Users\Application Data\blue creative blah defy\creative owns.exe
O4 - HKLM\..\Run: [Dinst] D:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [lanbrup] D:\WINDOWS\system32\lanbrup.exe
O4 - HKLM\..\Run: [Sysnet] D:\DOCUME~1\PHONIC~1\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [System service62] D:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [bindatadalesoftware] D:\Documents and Settings\All Users\Application Data\amen name bin data\PartWindow.exe
O4 - HKLM\..\Run: [lsass] D:\windows\system32\elitexzn32.exe
O4 - HKLM\..\Run: [System service65] D:\WINDOWS\etb\pokapoka66.exe
O4 - HKLM\..\Run: [System service66] D:\WINDOWS\etb\pokapoka66.exe
O4 - HKLM\..\Run: [System service67] D:\WINDOWS\\etb\pokapoka67.exe
O4 - HKLM\..\Run: [uqetrre] D:\WINDOWS\uqetrre.EXE
O4 - HKLM\..\Run: [System service68] D:\WINDOWS\\etb\pokapoka68.exe
O4 - HKLM\..\Run: [System service69] D:\WINDOWS\\etb\pokapoka69.exe
O4 - HKLM\..\Run: [System service70] D:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [biopvsa] d:\windows\system32\ftpdcau.exe r
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo...thv32_EN_XP.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.c...ureUploader.cab
O20 - AppInit_DLLs: repairs.dll


NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r.

Now open the folder dsrfix on your desktop.
* Double click on dsrfix.bat
* A window will pop up briefly then close, this is normal.

Uninstall MyWebSearch via the Add/Remove panel.

Locate and delete the following:

AUNPS2.DLL
C:\Program Files\Zlqbbt\
C:\windows\4bM.exe
C:\windows\G.exe
C:\windows\R3O.exe
C:\windows\Wq.exe
D:\Documents and Settings\All Users\Application Data\amen name bin data\
D:\Documents and Settings\All Users\Application Data\blue creative blah defy\
D:\PROGRA~1\MYWEBS~1\
D:\Program Files\ISTsvc\
D:\WINDOWS\dinst.exe
D:\WINDOWS\dsr.dll
D:\WINDOWS\flkbu.exe
D:\WINDOWS\flkbu.exe
D:\WINDOWS\Nail.exe
D:\WINDOWS\sxconfig.exe
D:\windows\system32\C50RdCVjP.exe
D:\windows\system32\elitedfo32.exe
D:\windows\system32\elitexzn32.exe
d:\windows\system32\ftpdcau.exe (or whatever the name may have changed to, as noted above).
D:\WINDOWS\system32\lanbrup.exe
D:\WINDOWS\system32\vvpuitut.dll
D:\WINDOWS\uqetrre.EXE
repairs.dll
WNMPS.EXE


Restart your computer. Post the logs for HijackThis and Ewido.
  • 0

#3
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP