 Hijackthis log Help please |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Mar 9 2005, 02:31 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 8 Joined: 4-March 05 Member No.: 13,565  |
Logfile of HijackThis v1.99.1 Scan saved at 2:08:14 PM, on 3/9/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\NavNT\defwatch.exe C:\WINNT\System32\svchost.exe C:\Program Files\Roxio\GoBack\GBPoll.exe C:\WINNT\system32\cba\pds.exe C:\Program Files\NavNT\rtvscan.exe C:\Program Files\SSC\NSCTOP.EXE C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\ams_ii\hndlrsvc.exe C:\WINNT\system32\MsgSys.EXE C:\WINNT\system32\ams_ii\iao.exe C:\WINNT\system32\cba\xfr.exe C:\WINNT\Explorer.EXE C:\Program Files\NavNT\vptray.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Roxio\GoBack\GBTray.exe C:\WINNT\system32\mshta.exe C:\Program Files\Internet Explorer\iexplore.exe C:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rmxtalk.com/index.jsp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.remaxtalk.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O1 - Hosts: 192.1.1.2 mris_sv1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {24A9F7DF-401F-6111-C037-055852A4DB48} - \\remaxlanham\userfolders\nearia\APPLIC~1\ACESIX~1\comp free.exe (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINNT\Downloaded Program Files\SbCIe028.dll (file missing) O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Memo Bows Idol Global] C:\Documents and Settings\All Users\Application Data\THAT FIVE MEMO BOWS\Regsstyle.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.remaxtalk.com O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.pbcprc.com/CFIDE/classes/CFJava.cab O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility.com/ins...ckerutility.cab O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = remaxa O17 - HKLM\System\CCS\Services\Tcpip\..\{6AD83E7A-A146-4A75-9650-0593A3A895A3}: Domain = mris.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = remaxa O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = remaxa O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe O23 - Service: Intel Alert Originator - Intel Corporation - C:\WINNT\system32\ams_ii\iao.exe O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\system32\cba\pds.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE Thanks, John |
 |
 
|
|
Mar 9 2005, 06:25 PM
Post
#2
|
|
 Bleep Bleep! Group: Admin Posts: 29,873 Joined: 24-January 04 From: USA Member No.: 3 |
Print out these instructions and then close all windows including Internet Explorer.
Then I want you to fix some of those entries. Please do the following: Please make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button: O2 - BHO: (no name) - {24A9F7DF-401F-6111-C037-055852A4DB48} - \\remaxlanham\userfolders\nearia\APPLIC~1\ACESIX~1\comp free.exe (file missing) O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINNT\Downloaded Program Files\SbCIe028.dll (file missing) O4 - HKLM\..\Run: [Memo Bows Idol Global] C:\Documents and Settings\All Users\Application Data\THAT FIVE MEMO BOWS\Regsstyle.exe Reboot your computer into Safe Mode Then delete these files or directories (Do not be concerned if they do not exist) C:\Documents and Settings\All Users\Application Data\THAT FIVE MEMO BOWS\ Reboot your computer to go back to normal mode and post a new log. -------------------- Lawrence
|
|
|
|
|
Mar 9 2005, 10:02 PM
Post
#3
|
|
|
New Member Group: Members Posts: 8 Joined: 4-March 05 Member No.: 13,565 |
First of all thank you for the help. It seems to be working better so far. I did all the steps that you suggested and here is the log file from the most recent scan
Logfile of HijackThis v1.99.1 Scan saved at 9:41:57 PM, on 3/9/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\NavNT\defwatch.exe C:\WINNT\System32\svchost.exe C:\Program Files\Roxio\GoBack\GBPoll.exe C:\WINNT\system32\cba\pds.exe C:\Program Files\NavNT\rtvscan.exe C:\Program Files\SSC\NSCTOP.EXE C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\ams_ii\hndlrsvc.exe C:\WINNT\system32\MsgSys.EXE C:\WINNT\system32\ams_ii\iao.exe C:\WINNT\system32\cba\xfr.exe C:\WINNT\Explorer.EXE C:\Program Files\NavNT\vptray.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Roxio\GoBack\GBTray.exe C:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rmxtalk.com/index.jsp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.remaxtalk.com O1 - Hosts: 192.1.1.2 mris_sv1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.remaxtalk.com O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.pbcprc.com/CFIDE/classes/CFJava.cab O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility.com/ins...ckerutility.cab O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = remaxa O17 - HKLM\System\CCS\Services\Tcpip\..\{6AD83E7A-A146-4A75-9650-0593A3A895A3}: Domain = mris.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = remaxa O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = remaxa O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe O23 - Service: Intel Alert Originator - Intel Corporation - C:\WINNT\system32\ams_ii\iao.exe O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\system32\cba\pds.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE Let me know if you see anything else in this that could be a potential problem. Also I was looking at it myself and was wondering about a couple of these. Are these necessary? O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll They were 2 that I was not sure about. I am still new at this and I just don't want to end up deleting things that I shouldn't. Thanks John |
|
|
|
|
Mar 9 2005, 11:21 PM
Post
#4
|
|
|
Bleep Bleep! Group: Admin Posts: 29,873 Joined: 24-January 04 From: USA Member No.: 3 |
The first one is normal. I heard rumours about the second. Do the following:
I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll To copy the files simply navigate to the directory they are in and right click on them and then click on copy. Then paste these files into the c:\submit directory. Once the files are all copied I need you to zip the folder and rename submit.zip to yourmembername.zip (for example grinler.zip). If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a compressed folder. You will now see a file called submit.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that. Then go to http://www.bleepingcomputer.com/submit-malware.php fill in the required fields, and browse to the file. Then click on the Send File button. -------------------- Lawrence
|
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 9th January 2009 - 07:08 AM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.