MAKE IT GO AWAY...PLEASE

Discussion in 'adware, spyware & hijack cleaning' started by FASTASU, Jul 2, 2004.

Thread Status:
Not open for further replies.
  1. FASTASU

    FASTASU Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2
    CURRENT LOG
    Logfile of HijackThis v1.97.7
    Scan saved at 1:46:40 PM, on 7/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\st.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {35A8C42E-826C-402B-BE87-A5B674DDA56D} - C:\WINDOWS\System32\ombi.dll
    O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0000.2693\en-xu\stmain.dll
    O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll
    O4 - HKLM\..\Run: [Updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe"
     
    Last edited: Jul 2, 2004
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi FASTASU,

    I'm afraid you log is missing the lower half of it.

    First, create a permanent folder on your C: drive (example: C:\HJT\ ) and move HijackThis.exe file into the new folder. HijackThis must run from it's own folder (not the Desktop or Temp folders) as it creates backups in the folder it is ran from, so if you should delete something accidently, you will be able to restore from the backups.

    Download and run CWShredder
    Make sure ALL browsers and any open windows are closed before running CWShredder.
    Click the *Fix button (not the scan only) and follow the instructions you will receive when the program runs.

    Next, Download Spybot Search&Destroy, install, and bring it up-to-date by pressing the "OnLine" button, then the "Search for Updates" button.

    1. Put a check inside the items listed for download and install them.
    2. Then click on "Check for Problems". Have Spybot remove all that it lists in RED.
    3. Once Spybot S&D is finished removing the items, close the program and restart your computer.

    Download Ad-Aware6, install, and bring it up-to-date by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file.

    Follow these instructions for setting up Ad-Aware for a full scan:
    How To Perform a "Full Scan" with Ad-Aware6.

    Followup with a full system scan at one of these on-line antivirus scan sites: Free Services

    Then run Hijackthis again, and click on the "Scan" button. When the scan is finished, the "Scan" button will then change to a "Save Log" button. Press the "Save Log" button. Copy and paste the entire contents here in this thread.

    Regards,

    snap
     
  3. FASTASU

    FASTASU Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2
    Re: MAKE IT GO AWAY...PLEASE upon further review

    Logfile of HijackThis v1.97.7
    Scan saved at 9:14:29 PM, on 7/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\st.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi FASTASU

    That's a very short log!

    Unless you know what this file is for: st.exe, then bring up TaskManager (ctrl+alt+del keys) and end the running process for it, if you can.
    Then find the 'st.exe' file in the Windows folder and upload it to Kaspersky for a scan.
    (post back here what the scan results are for the file, please)


    In Hijackthis, place a check beside the following items.
    Close ALL browsers and any open programs/windows, except HijackThis, and click *Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

    F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

    Then go to Housecall, do a FULL system scan, and let it fix/delete what it finds.

    For more information and cleaning instructions:
    netdc.exe - BKDR_CCT.A backdoor: See Trend Micro
    and this file (st.exe) may be - TROJ_KREPPER.E: See Trend Micro

    Use the Disk cleanup Utility to clean out your Temp folders. Disk Cleanup Utility

    Because your log is so short, would you please open MSConfig by clicking the Start button, then click Run, then type in msconfig. Put a check in the box beside "Normal Startup - Load all device drivers and services" option. This will let everything in the startup run, and allow us to see if there is anything there that may need removed.

    Reboot your computer, and post a new hijackthis log here in this thread to be checked.

    Regards,

    snap
     
Thread Status:
Not open for further replies.