Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

2005/06/11 Neznarf Hijack Log [RESOLVED]

Started by neznarf , Jun 11 2005 07:01 AM

  • This topic is locked This topic is locked

#16
neznarf
Posted 06 August 2005 - 03:03 AM

neznarf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I finally got the panda scan to run. I think the silent runner program worked but I didn''t get the final message. I am going to again after I send this. While I was running the silent runner program the computer froze. Here are my Hijack/Panda Soft/Silent Runner lists.

Hijack

Logfile of HijackThis v1.99.1
Scan saved at 3:49:53 AM, on 8/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) =

www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = 192.168.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program

Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [caseview] C:\WINDOWS\System32\caseview.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: C-DillaCdaC11BA - Macrovision -

C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc.

- C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -

Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec

Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) -

Symantec Corporation - C:\Program Files\Norton Personal

Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec

Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) -

Symantec Corporation - C:\Program Files\Norton Personal

Firewall\SymProxySvc.exe



On line scan


Incident Status Location

Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe
Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\Jim\Application Data\Sskknwrd.dll
Adware:adware/virtualbouncer No disinfected C:\myPcsearch.exe
Adware:Adware/eZula No disinfected C:\oldhdd\Documents and Settings\Jessica\Local Settings\Temp\{89E44270-721E-4084-8EA2-D403098C191E}\LingoWare.exe
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\ProxyStub.dll
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\uninstaller.exe
Adware:Adware/Thecoolbar No disinfected C:\Program Files\FwBarTemp\cohelper.exe
Adware:adware/portalscan No disinfected C:\WINDOWS\bundles\2504041110.exe
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/ipinsight No disinfected C:\WINDOWS\farmmext.ini
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\dlmax.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\Pynix.inf
Spyware:spyware/lzio-media No disinfected C:\WINDOWS\io2uns.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system\QBUninstaller.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\abasa5jrp.ini
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\bbfos.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\btviejw.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ctfmqmea.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\eadhwdd.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ecjx.exe
Adware:Adware/HuntBar No disinfected C:\WINDOWS\system32\EDow_AS2.exe
Adware:adware/ezula No disinfected C:\WINDOWS\system32\ezPopStub.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\hochkaod3.ini
Adware:adware/wupd No disinfected C:\WINDOWS\system32\ide21201.vxd
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\system32\mac80ex.idf
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\mac80ex.idf[msbe.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\mac80ex.idf[Uninstall.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\mac80ex.idf[bargains.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\mac80ex.idf[adv.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\mac80ex.idf[adx.exe]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\mqexdlm.srg
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\msloejvl.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\psis80ex.ax[mscb.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[bb_auto_wider.swf]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[bb_click_wider.swf]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[bb_welcome1.swf]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[bb_welcome.html]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[icon.gif]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[logo.gif]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[cashback.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[cb.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[flash.exe]
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\rmonng.exe
Adware:adware/wintools No disinfected C:\WINDOWS\system32\TBPS.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\u6f6uftuc.ini
Virus:Trj/Dropper.DA Disinfected C:\WINDOWS\system32\ventura5.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.exe
Adware:adware/afaenhance No disinfected C:\WINDOWS\VCMnet11.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\woinstall.exe






Silent Runners

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet" ["Yahoo! Inc."]
"caseview" = "C:\WINDOWS\System32\caseview.EXE" [file not found]
"(Default)" = (empty string)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"QuickTime Task" = "C:\WINDOWS\System32\qttask.exe" [null data]
"WinTask driver" = "C:\WINDOWS\System32\wintask.exe" [file not found]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpplugins\ierpplug.dll" ["RealNetworks, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "Shell" = "Explorer.exe C:\WINDOWS\Nail.exe" [MS], [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "Jim" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\Jim\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Program Files\Palm\HOTSYNC.EXE" ["Palm, Inc."]


Enabled Scheduled Tasks:
------------------------

"Disk Cleanup" -> launches: "C:\WINDOWS\system32\cleanmgr.exe" [MS]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 47
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll" ["Yahoo! Inc."]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll" ["Yahoo! Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM95\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

6to4, 6to4, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\System32\drivers\CDAC11BA.EXE" ["Macrovision"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Norton AntiVirus Auto Protect Service, navapsvc, "C:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
Norton Personal Firewall Accounts Manager, NISUM, "C:\Program Files\Norton Personal Firewall\NISUM.EXE" ["Symantec Corporation"]
Norton Personal Firewall Proxy Service, SymProxySvc, "C:\Program Files\Norton Personal Firewall\SymProxySvc.exe" ["Symantec Corporation"]
Norton Personal Firewall Service, NISSERV, "C:\Program Files\Norton Personal Firewall\NISSERV.EXE" ["Symantec Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 392 seconds, including 18 seconds for message boxes)
  • 0

Advertisements

#17
Excal
Posted 06 August 2005 - 09:48 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Thanks for getting that Activescan that helps aloT!

As far as Casview goes, the good news is the file is no longer there, but we can't get rid of it on HiJackthis. Lets see what we can do ;)


Open Hijackthis and do a scan. Check off the following item:

O4 - HKCU\..\Run: [caseview] C:\WINDOWS\System32\caseview.EXE

Click FIX CHECKED, then close HJT


Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme2.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at above REGEDIT 4.


REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"caseview"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"WinTask driver"-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
"Shell"=-



Locate fixme2.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".



Please remove the following folders using Windows Explorer (if present):

C:\oldhdd\Documents and Settings\Jessica\Local Settings\Temp\{89E44270-721E-4084-8EA2-D403098C191E}
C:\Program Files\CxtPls
C:\Program Files\FwBarTemp
C:\WINDOWS\bundles
C:\Documents and Settings\All Users\Desktop\nailfix

Please download the Killbox.

Please run Killbox.
  • Select "Delete on Reboot".
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\Documents and Settings\Jim\Application Data\Sskknwrd.dll
    C:\myPcsearch.exe
    C:\WINDOWS\cfgmgr52.ini
    C:\WINDOWS\farmmext.ini
    C:\WINDOWS\inf\dlmax.inf
    C:\WINDOWS\inf\Pynix.inf
    C:\WINDOWS\io2uns.exe
    C:\WINDOWS\system\QBUninstaller.exe
    C:\WINDOWS\system32\abasa5jrp.ini
    C:\WINDOWS\system32\bbfos.exe
    C:\WINDOWS\system32\btviejw.exe
    C:\WINDOWS\system32\ctfmqmea.exe
    C:\WINDOWS\system32\eadhwdd.exe
    C:\WINDOWS\system32\ecjx.exe
    C:\WINDOWS\system32\EDow_AS2.exe
    C:\WINDOWS\system32\ezPopStub.exe
    C:\WINDOWS\system32\hochkaod3.ini
    C:\WINDOWS\system32\ide21201.vxd
    C:\WINDOWS\system32\mac80ex.idf
    C:\WINDOWS\system32\mqexdlm.srg
    C:\WINDOWS\system32\msloejvl.exe
    C:\WINDOWS\system32\psis80ex.ax
    C:\WINDOWS\system32\rmonng.exe
    C:\WINDOWS\system32\TBPS.ini
    C:\WINDOWS\system32\u6f6uftuc.ini
    C:\WINDOWS\system32\ventura5.exe
    C:\WINDOWS\system32\winupdt.exe
    C:\WINDOWS\VCMnet11.exe
    C:\WINDOWS\woinstall.exe

  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
  • Let the system reboot.
I need you to run cleanup again please.

can you please post me a new Silent Runners and a Fresh HiJackthis log.


Thanks,

:tazz:

Excal
  • 0

#18
neznarf
Posted 06 August 2005 - 03:11 PM

neznarf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
K, Here is Hijack log

Logfile of HijackThis v1.99.1
Scan saved at 4:07:29 PM, on 8/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe

Silent Runners.

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet" ["Yahoo! Inc."]
"(Default)" = (empty string)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"QuickTime Task" = "C:\WINDOWS\System32\qttask.exe" [null data]
"WinTask driver" = "C:\WINDOWS\System32\wintask.exe" [file not found]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpplugins\ierpplug.dll" ["RealNetworks, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "Jim" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\Jim\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Program Files\Palm\HOTSYNC.EXE" ["Palm, Inc."]


Enabled Scheduled Tasks:
------------------------

"Disk Cleanup" -> launches: "C:\WINDOWS\system32\cleanmgr.exe" [MS]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 47
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll" ["Yahoo! Inc."]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\ = "LeftFrame Class"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\systb.dll" [file not found]

HKLM\Software\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\ = "BottomFrame Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\systb.dll" [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll" ["Yahoo! Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM95\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

6to4, 6to4, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\System32\drivers\CDAC11BA.EXE" ["Macrovision"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
Norton AntiVirus Auto Protect Service, navapsvc, "C:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
Norton Personal Firewall Accounts Manager, NISUM, "C:\Program Files\Norton Personal Firewall\NISUM.EXE" ["Symantec Corporation"]
Norton Personal Firewall Proxy Service, SymProxySvc, "C:\Program Files\Norton Personal Firewall\SymProxySvc.exe" ["Symantec Corporation"]
Norton Personal Firewall Service, NISSERV, "C:\Program Files\Norton Personal Firewall\NISSERV.EXE" ["Symantec Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 241 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 44 seconds.
---------- (total run time: 788 seconds)
  • 0

#19
Excal
Posted 06 August 2005 - 03:45 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Everything looks good now, any more porblems?

:tazz:

Excal
  • 0

#20
neznarf
Posted 06 August 2005 - 11:09 PM

neznarf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Looks like smooth sailing. Thank you.
  • 0

#21
Excal
Posted 06 August 2005 - 11:11 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Great job, it appears your computer is clean :tazz:

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Included in those updates is Windows XP Service Pack 2. Click Here
Since you're junkware free, the time to get it is NOW. Service Pack 2 is a MAJOR upgrade for XP. It adds numerous security and software patches, as well as new features and functionality. You will also be adding another layer of protection against future threats.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read How I got Infected
  • 0

#22
Excal
Posted 21 August 2005 - 01:50 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP