flowerpot Posted May 16, 2005 Share Posted May 16, 2005 from what i can see chile has quite alot of uneccesary? junk on there......interesting tho Quote Link to comment Share on other sites More sharing options...
Steve Posted May 16, 2005 Author Share Posted May 16, 2005 is my computer fucked up steve ?Let's just say it's not looking good mate. It's going to take some fixing. You've got that fucking NewDotNet too. Have you got Ad-Aware? If not, download it HERE. Install it, update it to the latest reference file then scan your machine and remove everything that it finds. Then reboot and before you start up any programs at all, run HijackThis again and get a new log and post that. Hopefully it will be a bit shorter than that one. I ain't forgotten about you either Chile. Just not really in the mood for looking at these things today, but I will do it this evening. Quote Link to comment Share on other sites More sharing options...
Mowgli Posted May 16, 2005 Share Posted May 16, 2005 MUCH APPRECIATED STEVE. Logfile of HijackThis v1.99.1Scan saved at 18:05:38, on 05/16/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\TGTSoft\StyleXP\StyleXPService.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\WINDOWS\System32\DVDRAMSV.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\igfxtray.exeC:\WINDOWS\System32\hkcmd.exeC:\WINDOWS\System32\00THotkey.exeC:\WINDOWS\LTSMMSG.exeC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\TOSHIBA\TouchED\TouchED.ExeC:\Program Files\TOSHIBA\PadTouch\PadExe.exeC:\WINDOWS\system32\TFNF5.exeC:\WINDOWS\system32\TPSMain.exeC:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exeC:\Program Files\Lexmark X5100 Series\lxbabmgr.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Lexmark X5100 Series\lxbabmon.exeC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\system32\TPSBattM.exeC:\WINDOWS\System32\ezSP_Px.exeC:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\PROGRA~1\Sony\SONICS~1\SsAAD.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exeC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exeC:\Program Files\Skype\Phone\Skype.exeC:\WINDOWS\system32\RAMASST.exeC:\Program Files\WinRAR\WinRAR.exeC:\Program Files\Messenger\msmsgs.exeC:\DOCUME~1\JONATH~1\LOCALS~1\Temp\Rar$EX03.813\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.digitalvertigo.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C:\Program Files\TOSHIBA\Free Update Service\splash.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://broadband.blueyonder.co.uk/F2 - REG:system.ini: Shell=O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dllO2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLLO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dllO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dllO2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLLO3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exeO4 - HKLM\..\Run: [000StTHK] 000StTHK.exeO4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.ExeO4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exeO4 - HKLM\..\Run: [TFNF5] TFNF5.exeO4 - HKLM\..\Run: [TPSMain] TPSMain.exeO4 - HKLM\..\Run: [TFncKy] TFncKy.exeO4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exeO4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exeO4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUpO4 - HKLM\..\Run: [Winsock2 drivers] winnt32.exeO4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -sO4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [ssAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exeO4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osbootO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [PrvDef3.0] C:\Program Files\PCSecurityShield\PrivacyDefender3\PrvDef3.0.exeO4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -HideO4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exeO4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXEO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.htmlO16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - http://download.007guard.com/msnnames/msnnames.cabO16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cabO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exeO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeO23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exeO23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exeO23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exeO23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted May 16, 2005 Author Share Posted May 16, 2005 Chile........ Read the whole post before you start mate. First off, uninstall the MSN Toolbar via Add/Remove Programs. It's a pile of shite. Then reboot. Run HijackThis and check off all of the following. Some items may no longer be there after uninstalling the toolbar: - R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=317 O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [sTManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b O4 - HKCU\..\Run: [shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - (no file) Close ALL browser windows (IE etc.) and hit Fix Checked. Reboot one more time and browse to these folders and delete them if they exist: - C:\Program Files\MSN AppsC:\Program Files\McAfee.com Now start IE and hit Tools, Internet Options, Programs (tab), Reset Web Settings, Apply then OK. Finally, hit Start then Run and type "services.msc" without quotes and hit Enter. Scroll down to the Windows User Mode Driver Framework, left click it to select it then right click it and set the startup type to Disabled. Then hit Apply then OK. I've disabled a lot of stuff from starting when the PC boots so hopefully your PC will run a little swifter. You can start programs such as Skype, MSN Messenger, Shareaza, Daemon Tools etc. from shortcuts as and when required rather than having them running constantly. If you'd rather they did start when your PC is first turned on, just don't tick the relevant O4 entry when you use HijackThis. I'll get started on yours later Mowgli. Quote Link to comment Share on other sites More sharing options...
chile Posted May 16, 2005 Share Posted May 16, 2005 SicK, cheers mate w0000t Quote Link to comment Share on other sites More sharing options...
Steve Posted May 16, 2005 Author Share Posted May 16, 2005 Mowgli, first off mate, you need to follow these instructions to try and get rid of the hideous NewDotNet: - http://www.newdotnet.com/removal.html Try the first removal option there, then reboot. Run HijackThis again and have a quick look through the log. If you see any entries relating to NewDotNet, move on to the second removal option on the site and so on. After trying all four options, NewDotNet will hopefully be gone. In any case, you'll have to post yet another new log once you've done this I'm afraid. Oh and check your PMS too. Quote Link to comment Share on other sites More sharing options...
alkatrazz Posted May 25, 2005 Share Posted May 25, 2005 Hey Stevoruni or anyone that can analyze this can you have a look. Its for my best friend he wants to salvage if possible. IM pretty sure he has a trojan but Im not at all an authority on these hijack logs. PLease if you have time. Thanks in advance. Logfile of HijackThis v1.99.1Scan saved at 11:48:54 PM, on 5/24/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\TGTSoft\StyleXP\StyleXPService.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\WZCBDL Service\WZCBDLS.exeC:\WINDOWS\System32\hkcmd.exeC:\WINDOWS\BCMSMMSG.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\D-Link\Air Utility\AirCFG.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\temp\salm.exeC:\WINDOWS\tkfqx.exeC:\Program Files\BullsEye Network\bin\bargains.exeC:\Program Files\Windows AdStatus\WinStat.exeC:\WINDOWS\system32\t2ntd21s.exeC:\Program Files\Windows AdStatus\WinStatKeep.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Avant Browser\avant.exeC:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ecyiv.dll/sp.html#37049R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ecyiv.dll/sp.html#37049R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ecyiv.dll/sp.html#37049R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ecyiv.dll/sp.html#37049R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ecyiv.dll/sp.html#37049R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ecyiv.dll/sp.html#37049R3 - Default URLSearchHook is missingO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dllO2 - BHO: (no name) - {FA44E0B8-94FB-B558-21D3-8EAFF31A169A} - C:\WINDOWS\syszl.dll (file missing)O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLsO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"O4 - HKLM\..\Run: [salm] c:\temp\salm.exeO4 - HKLM\..\Run: [tkfqx] C:\WINDOWS\tkfqx.exeO4 - HKLM\..\Run: [bullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exeO4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exeO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [t2ntd21s] C:\WINDOWS\system32\t2ntd21s.exeO4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -HideO4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\regclean.exe"O4 - Global Startup: D-Link Air Utility.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTMLO8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htmO8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htmO8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htmO8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htmO8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htmO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO15 - Trusted Zone: *.05p.comO15 - Trusted Zone: *.awmdabest.comO15 - Trusted Zone: *.blazefind.comO15 - Trusted Zone: *.clickspring.netO15 - Trusted Zone: *.flingstone.comO15 - Trusted Zone: *.frame.crazywinnings.comO15 - Trusted Zone: *.mt-download.comO15 - Trusted Zone: *.my-internet.infoO15 - Trusted Zone: *.scoobidoo.comO15 - Trusted Zone: *.searchbarcash.comO15 - Trusted Zone: *.searchmiracle.comO15 - Trusted Zone: *.slotch.comO15 - Trusted Zone: *.static.topconverting.comO15 - Trusted Zone: *.xxxtoolbar.comO15 - Trusted Zone: *.05p.com (HKLM)O15 - Trusted Zone: *.awmdabest.com (HKLM)O15 - Trusted Zone: *.blazefind.com (HKLM)O15 - Trusted Zone: *.clickspring.net (HKLM)O15 - Trusted Zone: *.flingstone.com (HKLM)O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)O15 - Trusted Zone: *.mt-download.com (HKLM)O15 - Trusted Zone: *.my-internet.info (HKLM)O15 - Trusted Zone: *.scoobidoo.com (HKLM)O15 - Trusted Zone: *.searchbarcash.com (HKLM)O15 - Trusted Zone: *.searchmiracle.com (HKLM)O15 - Trusted Zone: *.slotch.com (HKLM)O15 - Trusted Zone: *.static.topconverting.com (HKLM)O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)O15 - Trusted IP range: 206.161.125.149O15 - Trusted IP range: 206.161.124.130 (HKLM)O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cabO16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cabO16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cabO16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cabO16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cabO16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cabO16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cabO16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cabO16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cabO16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cabO16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cabO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exeO23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exeO23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted May 25, 2005 Author Share Posted May 25, 2005 Some spyware in there mate and at least one trojan, but we can sort that out easily enough. The file zeta.exe is a trojan sometimes known as "LowZones". It changes your security settings to the lowest possible which means that all sorts of crap installs from websites without any prompting. It also adds a list of sites (the O15 entries in the log) to the Trusted Zone. Extremely fucking annoying! First off go to Add/Remove Programs and get rid of anything that looks like this: - Internet Optimizer180 SolutionsBullseye NetworksSlotch ToolbarWindUpdatesWinStatViewPoint ToolbarZesoftSearch Assistant Look for names that are obvious spyware - shit that has the word "Bargains" in it or any toolbars that you don't recognise. If you do remove anything, once you're done restart the PC. Press Control/Alt/Delete, click on the Processes tab and end the following if they're running: - salm.exetkfqx.exebargains.exeWinStat.exet2ntd21s.exeWinStatKeep.exeoptimize.exeviewmgr.exezeta.exe Run HijackThis and check off all of the following if they exist. Some may not after removing some of the items mentioned above via Add/Remove: - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ecyiv.dll/sp.html#37049R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ecyiv.dll/sp.html#37049R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ecyiv.dll/sp.html#37049R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ecyiv.dll/sp.html#37049R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ecyiv.dll/sp.html#37049R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ecyiv.dll/sp.html#37049R3 - Default URLSearchHook is missingO2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dllO2 - BHO: (no name) - {FA44E0B8-94FB-B558-21D3-8EAFF31A169A} - C:\WINDOWS\syszl.dll (file missing)O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"O4 - HKLM\..\Run: [salm] c:\temp\salm.exeO4 - HKLM\..\Run: [tkfqx] C:\WINDOWS\tkfqx.exeO4 - HKLM\..\Run: [bullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exeO4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exeO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [t2ntd21s] C:\WINDOWS\system32\t2ntd21s.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTMLO15 - Trusted Zone: *.05p.comO15 - Trusted Zone: *.awmdabest.comO15 - Trusted Zone: *.blazefind.comO15 - Trusted Zone: *.clickspring.netO15 - Trusted Zone: *.flingstone.comO15 - Trusted Zone: *.frame.crazywinnings.comO15 - Trusted Zone: *.mt-download.comO15 - Trusted Zone: *.my-internet.infoO15 - Trusted Zone: *.scoobidoo.comO15 - Trusted Zone: *.searchbarcash.comO15 - Trusted Zone: *.searchmiracle.comO15 - Trusted Zone: *.slotch.comO15 - Trusted Zone: *.static.topconverting.comO15 - Trusted Zone: *.xxxtoolbar.comO15 - Trusted Zone: *.05p.com (HKLM)O15 - Trusted Zone: *.awmdabest.com (HKLM)O15 - Trusted Zone: *.blazefind.com (HKLM)O15 - Trusted Zone: *.clickspring.net (HKLM)O15 - Trusted Zone: *.flingstone.com (HKLM)O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)O15 - Trusted Zone: *.mt-download.com (HKLM)O15 - Trusted Zone: *.my-internet.info (HKLM)O15 - Trusted Zone: *.scoobidoo.com (HKLM)O15 - Trusted Zone: *.searchbarcash.com (HKLM)O15 - Trusted Zone: *.searchmiracle.com (HKLM)O15 - Trusted Zone: *.slotch.com (HKLM)O15 - Trusted Zone: *.static.topconverting.com (HKLM)O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)O15 - Trusted IP range: 206.161.125.149O15 - Trusted IP range: 206.161.124.130 (HKLM)O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cabO16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cabO16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cabO23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe Make sure both Avant and IE are closed and hit Fix Checked. Reboot your PC and tap F8 as it's starting up. When the boot menu appears, select Safe Mode and your machine will start. Start Windows Explorer, not Internet Explorer, then hit Tools then Folder Options. Click on the View tab and make sure the following are set like this: - Show hidden files and folders (Selected)Hide extensions for known file types (NOT selected)Hide protected operating system files (Recommended) (NOT Selected) Then hit Apply then OK. Now, you must browse to these files and folders and delete them all if they exist: - C:\WINDOWS\system32\ecyiv.dll C:\WINDOWS\System32\msbe.dll C:\WINDOWS\syszl.dll C:\Temp\salm.exe C:\WINDOWS\tkfqx.exe C:\WINDOWS\system32\t2ntd21s.exe C:\WINDOWS\System32\toolbar.dll C:\WINDOWS\zeta.exe C:\Program Files\Viewpoint C:\Program Files\Internet Optimizer C:\Program Files\BullsEye Network C:\Program Files\Windows AdStatus Now, run Disc Cleanup from the System Tools section of your Start Menu. Make sure you delete all temporary files, including the Recycle Bin. Reboot your PC into regular Windows. Start Internet Explorer and hit Tools then Internet Options. Click on the Programs tab and hit Reset Web Settings, then hit the General tab and re-enter your desired homepage. Finally, click on the Security tab, Internet Zone icon, then make sure it's not been set to low - if it has (which in this case I think it will have been), click on Default Level. Then hit Apply then OK. I would recommend doing this to get your PC nice and cleaned up: - 1. Download and install CCleaner from HERE. Install it and hit "Run Cleaner" bottom right. Simple as that. It's a good idea to reboot once it's done. 2. Download RegSeeker from HERE. Run it and make sure the box in the bottom left corner to backup before deletion is checked. Click "Clean The Registry" in the menu on the left hand side. Make sure all the boxes on the next screen are checked (one won't be), then hit "OK!". Once the scan is complete, hit "Select All" at the bottom of the screen - all the items should turn yellow. Right click any one of them on the list and choose "Delete selected items". Then exit the program. At this point you definitely must reboot. 3. Finally, download NTREGOPT from HERE. Run it and hit "OK" to scan your registry. It only takes a minute or two and then a prompt will appear telling you to reboot. Once the PC has rebooted, your clean compacted registry will replace the old bloated one and you should be good to go. Repeat steps 1-3 above every so often and your PC should stay on top form. Any cookies will be lost when you run CCleaner (this can be changed in the options) so you'll need to log into any sites that require passwords again. You should hook your friend up with Kaspersky, because some of the infections, if not all of them, would have been caught. A good firewall would also be a good idea, rather than using the built in Windows one. If you have anymore problems, post a fresh log right after rebooting the machine. I think I got everything so you should be OK. You might want to print this post out cos the instructions are lengthy. Quote Link to comment Share on other sites More sharing options...
Guest Deeswift Posted May 25, 2005 Share Posted May 25, 2005 Damn, some top advice and well explained. Quote Link to comment Share on other sites More sharing options...
CompeteWithPete Posted June 24, 2005 Share Posted June 24, 2005 k. this is my cousins computer. she says it runs LIKE SHITT and she wants to know if ya'll can hook her up running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exeC:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\Java\jre1.5.0_02\bin\jusched.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\AIM\aim.exec:\windows\system32\rvsxjqq.exeC:\Program Files\Sony\VAIO Action Setup\VAServ.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exeC:\WINDOWS\System32\snmp.exec:\progra~1\Support.com\client\bin\tgcmd.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exeC:\WINDOWS\System32\wuauclt.exeC:\Program Files\WinRAR\WinRAR.exeC:\Program Files\WinRAR\WinRAR.exeC:\DOCUME~1\Idania\LOCALS~1\Temp\Rar$EX01.406\HijackThis.exeC:\DOCUME~1\Idania\LOCALS~1\Temp\Rar$EX01.578\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://more-pages.com/search/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Idania\LOCALS~1\Temp\se.dll/sp.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeopleR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Idania\LOCALS~1\Temp\se.dll/sp.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dllO3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbsO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [xpohau] c:\windows\system32\nvpksg.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [bcnxpa] c:\windows\system32\rvsxjqq.exe rO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - Global Startup: VAIO Action Setup (Server).lnk = ?O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Real-time Monitor.lnk = ?O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTMLO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeopleO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO21 - SSODL: eplrr - {4EFAD475-24B2-4620-9D2E-C92D7494C884} - C:\WINDOWS\System32\eplrr3.dll (file missing)O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted June 24, 2005 Author Share Posted June 24, 2005 Some trojans in there mate. There's also a Cool Web Search infection on the machine. The first thing you need to do is download CWShredder, run it and hit Fix. Let it do it's thing, reboot the PC and immediately grab a new HijackThis log and post it. Then we'll sort the other shit. Here's CWShredder: - http://www.trendmicro.com/ftp/products/onl.../cwshredder.exe **EDIT** HijackThis needs to run from it's own folder too. Make a folder on the desktop and extract it there. If you run it from within the zip file as you did when that log was taken, no backups will be made. Quote Link to comment Share on other sites More sharing options...
alkatrazz Posted June 24, 2005 Share Posted June 24, 2005 Holy shit internet god Steve aka esteve aka stevoruni aka the stevemeister aka SIGMA aka MAAAAGMA aka helpful guy comes through again.... Dude sorry for not thanking you, but i just saw this right now lol i left his computer all jacked up hahaha, well i removed stuff that i knew was bad and gave him crap cleaner and was about to give him reg seeker which i will do now. Thanks alot dude may god pay you and your help with virgin brides. Quote Link to comment Share on other sites More sharing options...
CompeteWithPete Posted June 24, 2005 Share Posted June 24, 2005 running processes: C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exeC:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\Java\jre1.5.0_02\bin\jusched.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\AIM\aim.exec:\windows\system32\ozebmu.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Sony\VAIO Action Setup\VAServ.exeC:\WINDOWS\System32\snmp.exeC:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exec:\progra~1\Support.com\client\bin\tgcmd.exeC:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\System32\wuauclt.exeC:\Documents and Settings\Idania\Desktop\hijackthis\HijackThis.ex R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://more-pages.com/search/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeopleR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankCHiNaLiCioUs305: R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dllO3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbsO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeCHiNaLiCioUs305: O4 - HKLM\..\Run: [xpohau] c:\windows\system32\nvpksg.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [doopem] c:\windows\system32\ozebmu.exe rO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - Global Startup: VAIO Action Setup (Server).lnk = ?O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Real-time Monitor.lnk = ?O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTMLO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeopleO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO21 - SSODL: eplrr - {4EFAD475-24B2-4620-9D2E-C92D7494C884} - C:\WINDOWS\System32\eplrr3.dll (file missing)O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe Quote Link to comment Share on other sites More sharing options...
CompeteWithPete Posted June 24, 2005 Share Posted June 24, 2005 i hope she ran the CWShredder correctly haha Quote Link to comment Share on other sites More sharing options...
Steve Posted June 25, 2005 Author Share Posted June 25, 2005 CWShredder didn't work, but no matter. First off hit Control/Alt/Delete to bring up the Task Manager. End the following processes: - ozebmu.exetgcmd.exe Go to Add/Remove Programs and look for Tioga, Support.Com, SupportSoft, basically anything that looks like that (should be 1 item only) and uninstall it. If you can't find anything don't worry. Hit Start then Run and type "services.msc" without quotes and hit Enter. Scroll down to the NVIDIA Driver Helper Service. Left click it to select it, then right click it and choose Properties. In the new window that opens, set the Startup Type to Disabled in the drop down box then hit Apply then OK. Exit out of that screen. Turn off System Restore. You will lose all your restore points, but this is necessary to stop any infected files being replaced. You can turn it off by right clicking on My Computer and selecting the System Restore tab. Next, run HijackThis and put a check mark next to all of these: - R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://more-pages.com/search/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeopleR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbsO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [xpohau] c:\windows\system32\nvpksg.exeO4 - HKLM\..\Run: [doopem] c:\windows\system32\ozebmu.exe rO4 - Global Startup: VAIO Action Setup (Server).lnk = ?O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Real-time Monitor.lnk = ?O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeopleO21 - SSODL: eplrr - {4EFAD475-24B2-4620-9D2E-C92D7494C884} - C:\WINDOWS\System32\eplrr3.dll (file missing) Make sure ALL windows are closed except HijackThis and hit Fix Checked. Reboot your PC and tap F8 as it's starting up. When the boot menu appears, select Safe Mode and your machine will start. Start Windows Explorer, not Internet Explorer, then hit Tools then Folder Options. Click on the View tab and make sure the following are set like this: - Show hidden files and folders (Selected)Hide extensions for known file types (NOT selected)Hide protected operating system files (Recommended) (NOT Selected) Then hit Apply then OK. Now, you must browse to these files and folders and delete them all if they exist: - c:\program files\support.com c:\windows\system32\nvpksg.exe c:\windows\system32\ozebmu.exe C:\WINDOWS\System32\eplrr3.dll Now, run Disc Cleanup from the System Tools section of your Start Menu. You may also wanna run CCleaner at this point (see the link below). Make sure you delete all temporary files, including emptying the Recycle Bin. Reboot your PC into regular Windows. Start Internet Explorer and hit Tools then Internet Options. Click on the Programs tab and hit Reset Web Settings, then hit the General tab and re-enter your desired homepage. Finally, click on the Security tab, Internet Zone icon, then make sure it's not been set to low - if it has, click on Default Level. Then hit Apply then OK. Reboot one more time and if all is well, turn System Restore back on and create a new restore point. Your friend appears to be running no firewall. Download and install Sygate, then disable the built in XP firewall - you must do the latter because you don't want to have two firewalls running. http://smb.sygate.com/products/spf_standard.htm Any further problems, post another log. I think she should be OK though. ----------------------------------------------------------------------------------------------------------- I would recommend doing this to get your PC nice and cleaned up (optional, but definitely worth doing!): - 1. Download and install CCleaner from HERE. Install it and hit "Run Cleaner" bottom right. Simple as that. It's a good idea to reboot once it's done. 2. Download RegSeeker from HERE. Run it and make sure the box in the bottom left corner to backup before deletion is checked. Click "Clean The Registry" in the menu on the left hand side. Make sure all the boxes on the next screen are checked (one won't be), then hit "OK!". Once the scan is complete, hit "Select All" at the bottom of the screen - all the items should turn yellow. Right click any one of them on the list and choose "Delete selected items". Then exit the program. At this point you definitely must reboot. 3. Finally, download NTREGOPT from HERE. Run it and hit "OK" to scan your registry. It only takes a minute or two and then a prompt will appear telling you to reboot. Once the PC has rebooted, your clean compacted registry will replace the old bloated one and you should be good to go. Repeat steps 1-3 above every so often and your PC should stay on top form. Any cookies will be lost when you run CCleaner (this can be changed in the options) so you'll need to log into any sites that require passwords again. Quote Link to comment Share on other sites More sharing options...
CompeteWithPete Posted June 25, 2005 Share Posted June 25, 2005 YOU ARE THE BOMB STEVE!!!!!!!!!!!! WOOOOOOOOT! Quote Link to comment Share on other sites More sharing options...
CompeteWithPete Posted June 25, 2005 Share Posted June 25, 2005 this is what shes left with now after following your instructions. she cool? Running processes: C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\Explorer.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exeC:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\AIM\aim.exeC:\Program Files\RFA\rfagent.exec:\windows\system32\qnghjz.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeCHiNaLiCioUs305: C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\svcproc.exeC:\Documents and Settings\Idania\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Idania\LOCALS~1\Temp\se.dll/sp.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exeO2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dllO3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startguiO4 - HKLM\..\Run: [lyysqs] c:\windows\system32\qnghjz.exe rO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTMLO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exeO23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted June 25, 2005 Author Share Posted June 25, 2005 Is she cool? No. She's got that fucking Aurora thing now which is a total cunt to remove. That wasn't there before. It's this: - F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe And also these: - C:\WINDOWS\svcproc.exec:\windows\system32\qnghjz.exe The second part (qnghjz.exe) will rename itself every time the PC is rebooted making it fucking difficult to delete. It has to be removed, so here's what to try. If you have not restarted the computer since posting that log, run HijackThis and check off the following: - R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Idania\LOCALS~1\Temp\se.dll/sp.html F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O4 - HKLM\..\Run: [lyysqs] c:\windows\system32\qnghjz.exe r O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe Close all windows and hit Fix Checked. Go HERE and follow the instructions by pechenegs - his first and third posts in the thread. Where he mentions zbxhmsv.exe substitue that for qnghjz.exe. Also, when in Safe Mode browse to the following file and delete it: - C:\DOCUME~1\Idania\LOCALS~1\Temp\se.dll Either CCleaner or Disc Cleanup was not run, or the PC was infected again since doing so - through lack of firewall. :s Once clean, you'll have to do the part about hitting Reset Web Settings etc. in IE again and re-entering the home page. Hope it works! Quote Link to comment Share on other sites More sharing options...
CompeteWithPete Posted June 25, 2005 Share Posted June 25, 2005 HLY SHT! lol Quote Link to comment Share on other sites More sharing options...
CompeteWithPete Posted June 25, 2005 Share Posted June 25, 2005 this is what she got now :s Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\Explorer.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exeC:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exec:\windows\system32\zmwmgif.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\AIM\aim.exeC:\Program Files\RFA\rfagent.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\System32\wuauclt.exeC:\Documents and Settings\Idania\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Idania\LOCALS~1\Temp\se.dll/sp.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exeO2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dllO3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startguiO4 - HKLM\..\Run: [wbmwxe] c:\windows\system32\zmwmgif.exe rO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTMLO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exeO23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted June 25, 2005 Author Share Posted June 25, 2005 It's still there Pete. It renamed itself to this: - O4 - HKLM\..\Run: [wbmwxe] c:\windows\system32\zmwmgif.exe It also replaced the other 3 items, so you're back where you started. Something obviously didn't go to plan. Even the best experts in HijackThis and spyware removal are having problems removing Aurora. People are mad - lawsuits are taking place and shit. lol. The next thing I would suggest is trying the Trend online spyware scan: - http://www.trendmicro.com/spyware-scan/ If that still doesn't work, head over to the Spyware Warrior forum and look in the HijackThis logs section: - http://spywarewarrior.com/viewforum.php?f=5 You'll see plenty of people infected with the same thing. The advice they give seems to be the same as I've already given you above though, but it may be worth asking there. Quote Link to comment Share on other sites More sharing options...
Steve Posted June 25, 2005 Author Share Posted June 25, 2005 Try this forum too: - http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html Quote Link to comment Share on other sites More sharing options...
Jon Posted June 25, 2005 Share Posted June 25, 2005 steve how do u know all this stuff lol are u a computer repair guy or sumthin? Quote Link to comment Share on other sites More sharing options...
Steve Posted June 25, 2005 Author Share Posted June 25, 2005 Not yet. Quote Link to comment Share on other sites More sharing options...
Jon Posted June 25, 2005 Share Posted June 25, 2005 haha- you seem to know much more than the guy i took my pc to when it died on me- he removed a trojan and said nothin cam ebak, then after 30 mins it came staright bak when i got home i have a new pc now and have it firewalled and antivirused to the brim haha Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.