MAKE IT GO AWAY...PLEASE

CURRENT LOG
Logfile of HijackThis v1.97.7
Scan saved at 1:46:40 PM, on 7/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\st.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {35A8C42E-826C-402B-BE87-A5B674DDA56D} - C:\WINDOWS\System32\ombi.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0000.2693\en-xu\stmain.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll
O4 - HKLM\..\Run: [Updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe"

 

Hi FASTASU,

I'm afraid you log is missing the lower half of it.

First, create a permanent folder on your C: drive (example: C:\HJT\ ) and move HijackThis.exe file into the new folder. HijackThis must run from it's own folder (not the Desktop or Temp folders) as it creates backups in the folder it is ran from, so if you should delete something accidently, you will be able to restore from the backups.

Download and run CWShredder
Make sure ALL browsers and any open windows are closed before running CWShredder.
Click the *Fix button (not the scan only) and follow the instructions you will receive when the program runs.

Next, Download Spybot Search&Destroy, install, and bring it up-to-date by pressing the "OnLine" button, then the "Search for Updates" button.

1. Put a check inside the items listed for download and install them.
2. Then click on "Check for Problems". Have Spybot remove all that it lists in RED.
3. Once Spybot S&D is finished removing the items, close the program and restart your computer.

Download Ad-Aware6, install, and bring it up-to-date by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file.

Follow these instructions for setting up Ad-Aware for a full scan:
How To Perform a "Full Scan" with Ad-Aware6.

Followup with a full system scan at one of these on-line antivirus scan sites: Free Services

Then run Hijackthis again, and click on the "Scan" button. When the scan is finished, the "Scan" button will then change to a "Save Log" button. Press the "Save Log" button. Copy and paste the entire contents here in this thread.

Regards,

snap

 

Re: MAKE IT GO AWAY...PLEASE upon further review

Logfile of HijackThis v1.97.7
Scan saved at 9:14:29 PM, on 7/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\st.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

Hi FASTASU

That's a very short log!

Unless you know what this file is for: st.exe, then bring up TaskManager (ctrl+alt+del keys) and end the running process for it, if you can.
Then find the 'st.exe' file in the Windows folder and upload it to Kaspersky for a scan.
(post back here what the scan results are for the file, please)


In Hijackthis, place a check beside the following items.
Close ALL browsers and any open programs/windows, except HijackThis, and click *Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

Then go to Housecall, do a FULL system scan, and let it fix/delete what it finds.

For more information and cleaning instructions:
netdc.exe - BKDR_CCT.A backdoor: See Trend Micro
and this file (st.exe) may be - TROJ_KREPPER.E: See Trend Micro

Use the Disk cleanup Utility to clean out your Temp folders. Disk Cleanup Utility

Because your log is so short, would you please open MSConfig by clicking the Start button, then click Run, then type in msconfig. Put a check in the box beside "Normal Startup - Load all device drivers and services" option. This will let everything in the startup run, and allow us to see if there is anything there that may need removed.

Reboot your computer, and post a new hijackthis log here in this thread to be checked.

Regards,

snap