|
|
|||||||
| Spyware Cleaning Section Closed!! |
| Notice: The spyware cleaning (HijackThis) section is closed. Wilders Security no longer provides one on one spyware cleaning assistance. Please see this announcement for a list of websites that provide such services. |
|
|
Thread Tools | Search this Thread |
|
#1
July 18th, 2004, 04:39 AM
|
||||
|
||||
Hijackthis Log from infected computer
This computer has been put through Adaware and Spybot, but remains pretty ill. I cannot provide many details on the specific problems as it isn't my computer, but by looking at some of these entries I assume this log will make sense to some of you.
Thanks in advance for your help. Logfile of HijackThis v1.98.0 Scan saved at 1:40:37 AM, on 7/18/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\documents and settings\ava\local settings\temp\axgMY7eJB.exe C:\WINDOWS\System32\IEHost.exe C:\Program Files\Common Files\Dpi\dpi.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Trillian\trillian.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Winamp\Winamp.exe C:\WINDOWS\System32\ir4ew.exe C:\WINDOWS\System32\dvdrddlg.exe C:\Program Files\SysAI\SysAI.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\PROGRA~1\Valve\Steam\Steam.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ntvdm.exe C:\WINDOWS\System32\svchost.exe D:\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com* R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file) O2 - BHO: (no name) - SOFTWARE - (no file) O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [axgMY7eJB.exe] C:\documents and settings\ava\local settings\temp\axgMY7eJB.exe O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe O4 - HKLM\..\Run: [5SX4Q2C33ZR8LC] C:\WINDOWS\System32\MfhMTcA.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [5RNJ4M9486NQRT] C:\WINDOWS\System32\FlslA.exe O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe O4 - HKLM\..\Run: [vF7X32P] ir4ew.exe O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q O4 - HKCU\..\Run: [eoo7RSj3g] dvdrddlg.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - Startup: trillian.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/035f2ea7058bba7fd605/netzip/RdxIE601.cab |
|
#2
July 18th, 2004, 01:01 PM
|
||||
|
||||
|
Re: Hijackthis Log from infected computer
Hi TyrNemesis^
Download the peper fix here. Make sure you are connected to the net and run it. If asked by your firewall for permission to access the net, please grant permission. Reboot and run it a second time while connected to the net. Uninstall IE SearchBar from "Add/Remove Programs" in the Windows® Control Panel. Look for an entry called 'IE SearchBar' http://www.kephyr.com/spywarescanner...ar/index.phtml Save HijackThis in a convenient permanent folder such as C:\HJT - the program will make backups and you don't want them scattered around. Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com* R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file) O2 - BHO: (no name) - SOFTWARE - (no file) O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file) O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [axgMY7eJB.exe] C:\documents and settings\ava\local settings\temp\axgMY7eJB.exe O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe O4 - HKLM\..\Run: [5SX4Q2C33ZR8LC] C:\WINDOWS\System32\MfhMTcA.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [5RNJ4M9486NQRT] C:\WINDOWS\System32\FlslA.exe O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe O4 - HKLM\..\Run: [vF7X32P] ir4ew.exe O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q O4 - HKCU\..\Run: [eoo7RSj3g] dvdrddlg.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/035f2ea7...p/RdxIE601.cab NOTE.........even in safe mode you may have to open taskmanager and end task on some of them before you can delete them. Make sure you can view hidden and system files: Instructions here Then Boot to safe mode: Instructions here Delete the following files\folders IF still present: C:\WINDOWS\System32\SearchBar.htm C:\PROGRA~1\Lycos <--folder C:\Program Files\SEP <-----folder C:\documents and settings\ava\local settings\temp\axgMY7eJB.exe C:\WINDOWS\System32\IEHost.exe C:\WINDOWS\System32\MfhMTcA.exe C:\Program Files\AutoUpdate <-----folder C:\Program Files\Common Files\Dpi <------folder C:\WINDOWS\System32\FlslA.exe C:\WINDOWS\System32\automove.exe C:\Program Files\TV Media <-----folder C:\PROGRA~1\CLOCKS~1 <-----folder C:\WINDOWS\System32\ms.exe Then reboot and use AdAware as described : HERE Spybot S&D The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html Install by double-clicking on the downloaded file. Run Spybot S&D from desktop icon or Start menu. Press "Search for updates" button to get list of updates available. Press "Download updates" button. Close all IE windows and close & restart Spybot S&D. Press "Check for problems" button. Have SpyBot remove all it marks in red by pressing "Fix selected problems". Close Spybot S&D, reboot your system . Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it. Then browse to the C:\Windows\Temp folder and delete all files in it. Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well. Then Disable system restore: Instructions here Reboot Enable System Restore. Pls. post another log. |
|
#3
July 19th, 2004, 04:59 PM
|
||||
|
||||
|
Re: Hijackthis Log from infected computer
Thanks very much for your help, Marianna. We've managed to slaughter all but one little problem. Here is the new log. It still looks ugly to me, but I'm not very well-trained at recognizing these things yet, so I'll leave it to your judgement.
Thanks again! Logfile of HijackThis v1.98.0 Scan saved at 1:04:01 PM, on 7/2/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\TBPanel.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\documents and settings\ava\local settings\temp\axgMY7eJB.exe C:\WINDOWS\System32\IEHost.exe C:\WINDOWS\System32\ssdpprov.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\stllt1.exe C:\Program Files\Trillian\trillian.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\ZdicW.exe C:\WINDOWS\System32\ZdicW.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\system32\pcs\pcsvc.exe C:\Program Files\Common Files\Dpi\dpi.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe D:\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches.com/index.php?v=6&aff=4581601 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com* O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts O1 - Hosts: 81.211.105.69 lender-search.com O1 - Hosts: 81.211.105.68 hot-searches.com O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [axgMY7eJB.exe] C:\documents and settings\ava\local settings\temp\axgMY7eJB.exe O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe O4 - HKLM\..\Run: [5SX4Q2C33ZR8LC] C:\WINDOWS\System32\YwcW.exe O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe O4 - HKLM\..\Run: [vF7X32P] ssdpprov.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q O4 - HKCU\..\Run: [eoo7RSj3g] stllt1.exe O4 - Startup: trillian.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file) |
|
#4
July 19th, 2004, 06:17 PM
|
||||
|
||||
|
Re: Hijackthis Log from infected computer
Hi TyrNemesis^
Quote:
Don't think so.........still "some nasty survivors"  Download the peper fix here. Make sure you are connected to the net and run it. If asked by your firewall for permission to access the net, please grant permission. Reboot and run it a second time while connected to the net. Download CWShredder from this link: http://www.spywareinfoforum.com/down...CWShredder.exe Run CWShredder.exe and click the Fix button to clean. Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches.com/index.php?v=6&aff=4581601 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com* O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts O1 - Hosts: 81.211.105.69 lender-search.com O1 - Hosts: 81.211.105.68 hot-searches.com O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O4 - HKLM\..\Run: [axgMY7eJB.exe] C:\documents and settings\ava\local settings\temp\axgMY7eJB.exe O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe O4 - HKLM\..\Run: [5SX4Q2C33ZR8LC] C:\WINDOWS\System32\YwcW.exe O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe O4 - HKLM\..\Run: [vF7X32P] ssdpprov.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q O4 - HKCU\..\Run: [eoo7RSj3g] stllt1.exe O4 - Startup: trillian.lnk = ? O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe NOTE.........even in safe mode you may have to open taskmanager and end task on some of them before you can delete them. Make sure you can view hidden and system files: Instructions here Then Boot to safe mode: Instructions here Delete the following files\folders IF still present: C:\WINDOWS\System32\SearchBar.htm C:\Program Files\ClearSearch <----folder C:\Program Files\SEP <-----folder C:\Program Files\Common Files\midaddle <-------folder C:\documents and settings\ava\local settings\temp\axgMY7eJB.exe C:\WINDOWS\System32\IEHost.exe C:\WINDOWS\System32\YwcW.exe C:\WINDOWS\System32\dp-him.exe C:\Program Files\AutoUpdate <-----folder C:\WINDOWS\system32\pcs <-----folder C:\Program Files\Common Files\Dpi -----folder C:\PROGRA~1\CLOCKS~1 <-----folder C:\WINDOWS\System32\ms.exe Then reboot and use AdAware as described : HERE to clean up the "remnants" ! Then use the Disk Cleanup Utility to empty all your Temp folders. Then Disable system restore: Instructions here Reboot Enable System Restore. Pls. post another log. |
|
#5
July 20th, 2004, 03:05 PM
|
||||
|
||||
|
Re: Hijackthis Log from infected computer
Oh dear. It would appear that the log I posted was an old one. Here is the correct new one listing the ACTUAL problems. Thanks.
Logfile of HijackThis v1.98.0 Scan saved at 12:09:00 PM, on 7/20/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\System32\dmaroll.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\cartm.exe C:\Program Files\Trillian\trillian.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Winamp\Winamp.exe C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\HJT\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [vF7X32P] dmaroll.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [eoo7RSj3g] cartm.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Startup: trillian.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe |
|
#6
July 20th, 2004, 06:59 PM
|
||||
|
||||
|
Re: Hijackthis Log from infected computer
Hi TyrNemesis^
Press Ctrl+Alt+Del and 'end task' on any of the follow that are present: dmaroll.exe cartm.exe Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing O4 - HKLM\..\Run: [vF7X32P] dmaroll.exe O4 - HKCU\..\Run: [eoo7RSj3g] cartm.exe Then reboot and use AdAware as described : HERE Spybot S&D The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html Install by double-clicking on the downloaded file. Run Spybot S&D from desktop icon or Start menu. Press "Search for updates" button to get list of updates available. Press "Download updates" button. Close all IE windows and close & restart Spybot S&D. Press "Check for problems" button. Have SpyBot remove all it marks in red by pressing "Fix selected problems". Close Spybot S&D, reboot your system . Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it. Then browse to the C:\Windows\Temp folder and delete all files in it. Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well. Then Disable system restore: Instructions here Reboot Enable System Restore. Problems gone? |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
