Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack/ Virus help needed- HijackThis log [RESOLVED]


  • This topic is locked This topic is locked

#31
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. I guess you don't need these emails anymore then? They look deleted anyway...this should get rid of it:

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

"c:\WINDOWS\Application Data\Identities\{5BD0A2D8-D211-41B5-8DC7-7DD04D2C860B}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx"

If you get a PendingOperations message, just close it and restart your computer manually.
  • 0

Advertisements


#32
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
I did as instructed above. Do I need to do anything else?
  • 0

#33
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Run another Kapersky and Panda scan...hopefully they will come out clear now.
  • 0

#34
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
Pandascan with system restore off:


Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe

----------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, October 30, 2005 16:01:33
Operating System: Microsoft Windows Millennium Edition
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 30/10/2005
Kaspersky Anti-Virus database records: 147710
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 33684
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 2533 sec

Infected Object Name - Virus Name
c:\_RESTORE\TEMP\A0000003.CPY Infected: Trojan.Win32.Small.fb
c:\_RESTORE\TEMP\A0000004.CPY Infected: Trojan-Downloader.Win32.Agent.uj

Scan process completed.
  • 0

#35
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, turn off system restore again. Shutdown your computer over night... When you turn it on again in the morning, I want you to restart it a few times...

Run KillBox on these two files again and see if they are found and deleted:

c:\_RESTORE\TEMP\A0000003.CPY
c:\_RESTORE\TEMP\A0000004.CPY


Restart and turn on System Restore. Run a new Panda and TrendMicro scan. Anything found? :tazz:
  • 0

#36
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
I ran killbox but when I tried to copy those two files and paste from clipboard they didn't show up.

Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Adware:Adware/Megatds No disinfected C:\WINDOWS\SYSTEM\csdms.exe
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000003.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000004.CPY



Trendmicro scan: I couldn't get it to copy but all it found was

C:\_RESTORE\TEMP\A0000004.CPY undeletable
  • 0

#37
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Does SpySweeper find anything if you update and run it again?
  • 0

#38
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
Spysweeper results:

6:05 PM: Found Adware: searchtoolbar
6:05 PM: HKLM\software\searchtoolbar\ (3 subtraces) (ID = 141346)
6:35 PM: Found Trojan Horse: trojan-downloader-ruin
6:35 PM: HKLM\software\microsoft\windows\currentversion\urls\ (8 subtraces) (ID = 605127)
6:35 PM: HKLM\software\microsoft\windows\currentversion\ruins\ (129 subtraces) (ID = 605128)
6:42 PM: HKU\.DEFAULT\software\microsoft\internet explorer\toolbar\webbrowser\ || {08bec6aa-49fc-4379-3587-4b21e286c19e} (ID = 139177)
6:42 PM: Found Adware: quicklink search toolbar
6:42 PM: HKU\.DEFAULT\software\microsoft\internet explorer\toolbar\webbrowser\ || {08bec6aa-49fc-4379-3587-4b21e286c19e} (ID = 139177)
6:42 PM: HKU\.DEFAULT\software\searchtoolbar\ (5 subtraces) (ID = 141343)
6:42 PM: Found Adware: balabolka balabolka.biz hijack
6:42 PM: HKU\.DEFAULT\software\microsoft\internet explorer\main\ || home page (ID = 656234)
6:42 PM: Registry Sweep Complete, Elapsed Time:02:34:45

6:42 PM: Starting File Sweep 6:43 PM: Found Adware: screensavers
6:43 PM: sinstaller.inf (ID = 74756) 6:50 PM: c:\program files\screensavers.com (6 subtraces) (ID = -2147480365)
Plus numerous -Warning: Failed to open file ... The process cannot access the file because it is being used by another process. (Almost all were spysweeper files). Didn't know if you need all of those posted.

7:05 PM: Removal process initiated
7:07 PM: Quarantining All Traces: trojan-downloader-ruin
7:07 PM: Quarantining All Traces: balabolka balabolka.biz hijack
7:07 PM: Quarantining All Traces: quicklink search toolbar
7:07 PM: Quarantining All Traces: screensavers
7:07 PM: Quarantining All Traces: searchtoolbar
7:07 PM: Quarantining All Traces: 2o7.net cookie
7:07 PM: Quarantining All Traces: advertising cookie
7:07 PM: Quarantining All Traces: apmebf cookie
7:07 PM: Quarantining All Traces: atlas dmt cookie
7:07 PM: Quarantining All Traces: atwola cookie
7:07 PM: Quarantining All Traces: belnk cookie
7:07 PM: Quarantining All Traces: centrport net cookie
7:07 PM: Quarantining All Traces: coremetrics cookie
7:07 PM: Quarantining All Traces: enhance cookie
7:07 PM: Quarantining All Traces: fastclick cookie
7:07 PM: Quarantining All Traces: go.com cookie
7:07 PM: Quarantining All Traces: nextag cookie
7:08 PM: Quarantining All Traces: overture cookie
7:08 PM: Quarantining All Traces: questionmarket cookie
7:08 PM: Quarantining All Traces: ru4 cookie
7:08 PM: Quarantining All Traces: servedby advertising cookie
7:08 PM: Quarantining All Traces: serving-sys cookie
7:08 PM: Quarantining All Traces: tribalfusion cookie
7:08 PM: Quarantining All Traces: zedo cookie
7:09 PM: Removal process completed. Elapsed time 00:03:58
  • 0

#39
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Can SpySweeper remove those entries if you run it in Safe Mode?

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Just do a scan and save the log. Post it here.
  • 0

#40
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
I have a question. The things I post above were quarantined. If I select them all then hit delete all, will that remove them? I just installed Spy Sweeper before I started posting here and didn't know how it worked. I checked more into it yesterday. And would that change your instructions above or do I still need to do all that? Thank you for your time!
  • 0

Advertisements


#41
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, if you delete the quarantined files, that will remove them. They shouldn't cause problems when quarantined, but to get rid of them completely, delete the quarantined files.

If you still have problems, then yes, I suggest running through the step I posted earlier.
  • 0

#42
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
Okay I deleted the files. Do I need to do anything else?
  • 0

#43
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
Bad news! My computer was reinfected last night. I had a long talk with the person who is causing this. I am really sorry. I ran a Pandascan, trendmicro scan and Hijackthis.

Incident Status Location

Virus:W32/Smitfraud.D Disinfected Operating system
Adware:adware program No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\on.exe
Spyware:spyware/smitfraud No disinfected Windows Registry
Adware:Adware/Megatds No disinfected C:\WINDOWS\SYSTEM\csdms.exe
Virus:W32/Smitfraud.D Disinfected C:\WINDOWS\SYSTEM\WININET.DLL
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0008759.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0008760.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0008877.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0008878.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0008886.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0008887.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0009885.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0009887.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0010885.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0010886.CPY
Virus:W32/Smitfraud.D Disinfected C:\_RESTORE\TEMP\A0011070.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0011885.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0011890.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0030885.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0030886.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0030901.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0030902.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS20.CAB[A0000675.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS20.CAB[A0000676.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS17.CAB[A0000498.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS17.CAB[A0000499.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000003.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS24.CAB[A0001047.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS24.CAB[A0001048.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0002046.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0002047.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS27.CAB[A0002171.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS27.CAB[A0002172.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS28.CAB[A0003169.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS28.CAB[A0003171.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS29.CAB[A0004171.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS29.CAB[A0004172.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0002099.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0002100.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS30.CAB[A0005171.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS30.CAB[A0005172.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS33.CAB[A0005277.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS33.CAB[A0005278.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS37.CAB[A0005526.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS37.CAB[A0005527.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS38.CAB[A0005546.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS38.CAB[A0005547.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS39.CAB[A0005577.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS39.CAB[A0005578.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS32.CAB[A0005246.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS32.CAB[A0005247.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS31.CAB[A0005180.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS31.CAB[A0005181.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS36.CAB[A0005512.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS36.CAB[A0005513.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS35.CAB[A0005402.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS35.CAB[A0005403.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS41.CAB[A0005732.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS41.CAB[A0005734.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS47.CAB[A0008739.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS47.CAB[A0008740.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS48.CAB[A0008750.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS48.CAB[A0008751.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS43.CAB[A0006731.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS43.CAB[A0006732.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS46.CAB[A0008731.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS46.CAB[A0008732.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS45.CAB[A0007733.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS45.CAB[A0007734.CPY] Virus Scan 0 virus cleaned, 0 virus deleted


Results:
We have detected 31 infected file(s) with 31 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 0 virus(es) deleted, 31 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
C:\_RESTORE\TEMP\A0008760.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A0008878.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A0008886.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A0009885.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A0010885.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A0011890.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A0030885.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A0030901.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS20.CAB
- A0000676.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS17.CAB
- A0000498.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS24.CAB
- A0001047.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS25.CAB
- A0002046.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS27.CAB
- A0002171.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS28.CAB
- A0003169.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS29.CAB
- A0004171.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS26.CAB
- A0002099.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS30.CAB
- A0005172.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS33.CAB
- A0005278.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS37.CAB
- A0005527.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS38.CAB
- A0005546.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS39.CAB
- A0005578.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS32.CAB
- A0005247.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS31.CAB
- A0005180.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS36.CAB
- A0005512.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS35.CAB
- A0005402.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS41.CAB
- A0005732.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS47.CAB
- A0008739.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS48.CAB
- A0008750.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS43.CAB
- A0006732.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS46.CAB
- A0008731.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS45.CAB
- A0007734.CPY TROJ_FLUX.E Undeletable

Logfile of HijackThis v1.99.1
Scan saved at 1:20:44 PM, on 11/9/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\NAVISCOPE\NAVISCOPE.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\MY DOCUMENTS\HJT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.peoplestel.net"); (C:\PROGRAM FILES\NETSCAPE\Users\Default\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://mail.yahoo.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9nxn93v1.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9nxn93v1.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunOnce: [Panda_cleaner_41898] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 41898
O4 - HKLM\..\RunOnce: [Panda_cleaner_208925] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 208925
O4 - HKLM\..\RunOnce: [Panda_cleaner_217351] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 217351
O4 - HKLM\..\RunOnce: [Panda_cleaner_217333] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 217333
O4 - HKLM\..\RunOnce: [Panda_cleaner_217330] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 217330
O4 - HKLM\..\RunOnce: [Panda_cleaner_217325] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 217325
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Mozilla Quick Launch] C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE -turbo
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\SYSTEM\sysvcs.exe
O4 - HKCU\..\RunServices: [aupd] C:\WINDOWS\SYSTEM\sysvcs.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\PROGRAM FILES\ICQLITE\ICQLITE.EXE -trayboot
O4 - HKCU\..\RunServicesOnce: [ICQ Lite] C:\PROGRAM FILES\ICQLITE\ICQLITE.EXE -trayboot
O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...592/mcfscan.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
O16 - DPF: {14242341-4241-1432-1431-142423525557} - file://C:\Recycled\Q330995.exe
  • 0

#44
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Not good...looks like a Windows files was deleted there. Let's see how this will work out:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to Start->Settings->Control Panel and double click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Go back and UNcheck that Disable System Restore option so it's enabled back.

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9nxn93v1.slt\prefs.js)
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\SYSTEM\sysvcs.exe
O4 - HKCU\..\RunServices: [aupd] C:\WINDOWS\SYSTEM\sysvcs.exe
O16 - DPF: {14242341-4241-1432-1431-142423525557} - file://C:\Recycled\Q330995.exe


Delete these files if found:

C:\WINDOWS\DOWNLOADED PROGRAM FILES\on.exe
C:\WINDOWS\SYSTEM\csdms.exe
C:\WINDOWS\SYSTEM\sysvcs.exe


Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

If you are using Windows 95/98 or Windows ME, you MUST do the following steps that are enclosed in the starting and ending double lines before proceeding any further (if you have problems STOP right now and tell us what the problem is):
========================================================================
Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

copy c:\windows\system\wininet.dll c:\windows\desktop
del copy.bat


Save the file as "copy.bat". Make sure to save it with the quotes. Double click on it.

Reboot. Scan the desktop folder with eTrust Web Scanner at http://www3.ca.com/s...sinfo/scan.aspx. When done, make sure the box is checked for wininet.dll and click cure.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

del c:\windows\system\wininet.dll
del c:\windows\system\oleadm.dll
del c:\windows\system\oleext.dll
copy c:\windows\desktop\wininet.dll c:\windows\system
del delete.bat


Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.
========================================================================


Open Ad-aware and do a full scan. Remove all it finds.

Next go to Control Panel->Display->Desktop (or Appearance)->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft.../activescan.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log.

Then post the Panda log here along with the logs for HijackThis and smitfiles.txt
  • 0

#45
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
I downloaded Ewido Security Suite but it says it needs Windows 2000 or above to be installed. I have Windows ME.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP