|
|
|||||||
| Spyware Cleaning Section Closed!! |
| Notice: The spyware cleaning (HijackThis) section is closed. Wilders Security no longer provides one on one spyware cleaning assistance. Please see this announcement for a list of websites that provide such services. |
|
|
Thread Tools | Search this Thread |
|
#1
April 15th, 2004, 08:44 PM
|
|||
|
|||
Help me Hijack a Trojan
Hi!
I ran Trend Microsoft's virus checker. It gave me a message suggesting I had 74 non-cleanable, non-deletable (is this a word??) versions of Revop.A in varying parts of a c:\_RESTORE. I ran Adaware, and then Hijack this with the resulting log: Logfile of HijackThis v1.97.7 Scan saved at 6:29:17 PM, on 4/15/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\ATI2EVXX.EXE C:\PROGRAM FILES\WS_FTP PRO\FTPSCHED.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATIPTAXX.EXE C:\WINDOWS\SYSTEM\PROMON.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\MY DOWNLOAD FILES\TROJANHUNTER 3.8\THGUARD.EXE C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file) O1 - Hosts: 203.161.127.141 www.dcsresearch.com O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file) O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [Promon.exe] Promon.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\Run: [ftpqueue] C:\PROGRAM FILES\WS_FTP PRO\ftpqueue.exe -tray O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Tau Monitor] C:\MYDOWN~1\TAUSCA~1.7\taumon.exe O4 - HKLM\..\Run: [THGuard] "C:\MY DOWNLOAD FILES\TROJANHUNTER 3.8\THGUARD.EXE" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe O4 - HKLM\..\RunServices: [ftpqueue] C:\PROGRAM FILES\WS_FTP PRO\FTPSCHED.EXE O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: RealDownload.lnk = C:\RealDownload\REALDOWNLOAD.EXE O4 - Startup: Trojan Guarder Gold Version.lnk = C:\My Download Files\Trojan Guarder Gold Version\Trojan Guarder.exe O9 - Extra button: Dell Home (HKCU) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab Many thanks for the help! Talla |
|
#2
April 15th, 2004, 08:55 PM
|
||||
|
||||
Re: Help me Hijack a Trojan
Hi Talla,
Welcome to Wilders. Before you start, please unzip or move HijackThis to a separate folder of its own. The program will make backups in the folder it's in. These easily get lost in a temporary folder or a folder with other programs. Check the following items in HijackThis. Close all windows except HijackThis and click Fix checked: R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file) O1 - Hosts: 203.161.127.141 www.dcsresearch.com O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file) Download CWShredder and run. Be sure ALL other windows are closed and use the Fix button and follow the instructions you will receive. There also may be hidden files. See HERE for how to show hidden files. Then reboot into safe mode and delete: C:\PROGRA~1\TOOLBAR\ <-- entire folder Reboot. Go HERE and follow the instructions for disabling system restore. Reboot. Then follow the instructions for enabling system restore and create a new resore point. Regards, Kent
__________________
Best regards, Kent AX64 Time Machine - Travel in Time Current Version 1.1.0.996 |
|
#4
April 16th, 2004, 01:58 PM
|
||||
|
||||
|
Re: Help me Hijack a Trojan
Hi Talla,
Could you post a new HJT log so we can be sure we got everything. Regards, Kent
__________________
Best regards, Kent AX64 Time Machine - Travel in Time Current Version 1.1.0.996 |
|
#5
April 16th, 2004, 04:33 PM
|
|||
|
|||
Re: Help me Hijack a Trojan
Hi Kent,
The log: Logfile of HijackThis v1.97.7 Scan saved at 2:31:41 PM, on 4/16/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\ATI2EVXX.EXE C:\PROGRAM FILES\WS_FTP PRO\FTPSCHED.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATIPTAXX.EXE C:\WINDOWS\SYSTEM\PROMON.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\MY DOWNLOAD FILES\TROJANHUNTER 3.8\THGUARD.EXE C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [Promon.exe] Promon.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\Run: [ftpqueue] C:\PROGRAM FILES\WS_FTP PRO\ftpqueue.exe -tray O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Tau Monitor] C:\MYDOWN~1\TAUSCA~1.7\taumon.exe O4 - HKLM\..\Run: [THGuard] "C:\MY DOWNLOAD FILES\TROJANHUNTER 3.8\THGUARD.EXE" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe O4 - HKLM\..\RunServices: [ftpqueue] C:\PROGRAM FILES\WS_FTP PRO\FTPSCHED.EXE O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: RealDownload.lnk = C:\RealDownload\REALDOWNLOAD.EXE O4 - Startup: Trojan Guarder Gold Version.lnk = C:\My Download Files\Trojan Guarder Gold Version\Trojan Guarder.exe O9 - Extra button: Dell Home (HKCU) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab Thanks, Talla |
|
#6
April 16th, 2004, 04:38 PM
|
||||
|
||||
|
Re: Help me Hijack a Trojan
Hi Talla,
It looks like we got everything as your log is clean. Hopefully your problems are fixed. Regards, Kent
__________________
Best regards, Kent AX64 Time Machine - Travel in Time Current Version 1.1.0.996 |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
Re: Help me Hijack a Trojan
