ARGGGGGGGG help plz :'( GULP

Discussion in 'adware, spyware & hijack cleaning' started by ihateadware, Jun 8, 2004.

Thread Status:
Not open for further replies.
  1. ihateadware

    ihateadware Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    1
    Logfile of HijackThis v1.97.7
    Scan saved at 11:41:18 PM, on 6/7/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe
    C:\windows\temp\K.exe
    C:\WINDOWS\system32\wintime.exe
    C:\WINDOWS\System32\svchosd.exe
    C:\Program Files\RSNet\RSEDNClient.exe
    C:\windows\cvchost.exe
    C:\WINDOWS\System32\wintsu.exe
    C:\Documents and Settings\Oscar Koeneke\Application Data\asra.exe
    C:\Program Files\ClockSync\Sync.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
    C:\WINDOWS\System32\dllcache\IExplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\dllcache\IExplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AIM+\AIM+.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\System32\rsvp.exe
    C:\Documents and Settings\Oscar Koeneke\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dorkodrom.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
    O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
    O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
    O4 - HKLM\..\Run: [ekpysmm] rundll32 C:\WINDOWS\System32\ekpysmm.dll,Init 1
    O4 - HKLM\..\Run: [Propel Accelerator] C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe
    O4 - HKLM\..\Run: [yeahdude.exe] hallowelt.exe
    O4 - HKLM\..\Run: [K] C:\windows\temp\K.exe
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
    O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
    O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [cuaansjn] C:\WINDOWS\System32\kfnuzhr.exe
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\RunServices: [yeahdude.exe] hallowelt.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
    O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe
    O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintsu.exe
    O4 - HKCU\..\Run: [Oruu] C:\Documents and Settings\Oscar Koeneke\Application Data\asra.exe
    O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - HKLM\..\RunOnce: [wu] C:\DOCUME~1\OSCARK~1\LOCALS~1\Temp\wu.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
    O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: winlogin.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
    O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0A353296-E45C-4519-9B88-98DCF3852050}: NameServer = 207.69.188.187 207.69.188.186
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0A353296-E45C-4519-9B88-98DCF3852050}: NameServer = 207.69.188.187 207.69.188.186




    ^
    |
    |
    |
    Could you guys plz help me out?
    thnx in advance
     
    Last edited: Jun 8, 2004
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi ihateadware,

    Hmm a ton of spyware I'm afraid, gaobot/agobot and blaster worm

    Have only HijackThis running and fix :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dorkodrom.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)

    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll

    O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
    O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
    O4 - HKLM\..\Run: [ekpysmm] rundll32 C:\WINDOWS\System32\ekpysmm.dll,Init 1
    O4 - HKLM\..\Run: [yeahdude.exe] hallowelt.exe
    O4 - HKLM\..\Run: [K] C:\windows\temp\K.exe
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
    O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
    O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [cuaansjn] C:\WINDOWS\System32\kfnuzhr.exe
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\RunServices: [yeahdude.exe] hallowelt.exe
    O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
    O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe
    O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintsu.exe
    O4 - HKCU\..\Run: [Oruu] C:\Documents and Settings\Oscar Koeneke\Application Data\asra.exe
    O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
    O4 - HKLM\..\RunOnce: [wu] C:\DOCUME~1\OSCARK~1\LOCALS~1\Temp\wu.exe

    O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
    O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: winlogin.exe

    Next make sure all hidden files/fodlers are set to show : Here's How

    Then restart PC Safe Mode : Here's How and remove (if still present) :

    C:\Program Files\Lycos\Sidesearch\ <- this folder
    C:\WINDOWS\System\WINSTA~1.EXE <- this file
    C:\WINDOWS\System32\version.exe <- this file
    C:\windows\temp\K.exe <- this file
    mslaugh.exe <- this file (via start -> search -> files/folders)
    C:\WINDOWS\system32\wintime.exe <- this file
    C:\WINDOWS\winupd.exe <- this file
    svchosd.exe <- this file (via start -> search -> files/folders) NOTE : do NOT delete svchost in system32 folder = legit!
    C:\Program Files\Internet Optimizer\ <- this folder
    C:\WINDOWS\System32\kfnuzhr.exe <- this file
    C:\Program Files\Power Scan\ <- this folder
    C:\WINDOWS\Downloaded Program Files\bridge.dll <- this file
    C:\WINDOWS\mstasks2.exe <- this file
    C:\Program Files\ISTsvc\ <- this folder
    hallowelt.exe <- this file (via start -> search -> files/folders)
    C:\Program Files\RSNet\ <- this folder
    C:\WINDOWS\svchost.exe <- this file (Note : ONLY the one in THAT folder!! , system32 one is LEGIT)
    C:\Program Files\Internet Explorer\IEengine.exe <- this file
    c:\windows\cvchost.exe <- this file
    C:\WINDOWS\System32\wintsu.exe <- this file
    C:\Documents and Settings\Oscar Koeneke\Application Data\asra.exe <- this file
    C:\Program Files\ClockSync\ <- this folder
    C:\DOCUME~1\OSCARK~1\LOCALS~1\Temp\wu.exe <- this file
    C:\Program Files\Common Files\updater\ <- this folder
    C:\Program Files\PrecisionTime\ <- this folder
    C:\Program Files\Date Manager\ <- this folder
    C:\Program Files\Common Files\GMT\ <- this folder
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe <- this file

    Clean temp internet files

    Restart again in normal mode

    Download fixes for :

    MSBlast

    Gaobot

    Update XP and IE asap via windowsupdate.com

    Post another log so we can check up

    Hope this helps

    Cheers,
     
Thread Status:
Not open for further replies.