Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack Log -->


  • Please log in to reply
6 replies to this topic

#1 hiss3141

hiss3141

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 03 February 2005 - 09:48 PM

Some advise on how to remove my spyware would be greatly appreciated, i have already installed and ran SpySweeper, Ad-Aware, and Spyware Doctor and it seams none of them can get rid of the IST/XXX toolbar, and who knows what else is still on there, thanks a lot.
-JW

Logfile of HijackThis v1.99.0
Scan saved at 9:22:35 PM, on 2/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\smsc.exe
C:\WINDOWS\System32\SndMon32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\scrgrd.exe
C:\WINDOWS\System32\navupdaters.exe
C:\WINDOWS\System32\navprotect.exe
C:\WINDOWS\aknnkb.exe
C:\WINDOWS\System32\msxml.exe
C:\WINDOWS\System32\wuaumgr.exe
C:\WINDOWS\System32\Sygate.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\trillian.exe
C:\Program Files\Free History Eraser\HistoryEraser.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Microsoft Update] winsys32.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\ttukpu.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [NAV Auto Updates] navupdaters.exe
O4 - HKLM\..\Run: [Windows Sound Manager] SndMon32.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [dkMS] C:\WINDOWS\aknnkb.exe
O4 - HKLM\..\Run: [XML Service] msxml.exe
O4 - HKLM\..\Run: [Windows Update Auto Update] wuaumgr.exe
O4 - HKLM\..\Run: [LsasS] Sygate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Messanger] trillian.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] navupdaters.exe
O4 - HKLM\..\RunServices: [Windows Sound Manager] SndMon32.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [XML Service] msxml.exe
O4 - HKLM\..\RunServices: [Windows Update Auto Update] wuaumgr.exe
O4 - HKLM\..\RunServices: [LsasS] Sygate.exe
O4 - HKLM\..\RunServices: [Messanger] trillian.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunOnce: [Windows Sound Manager] SndMon32.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [NAV Auto Updates] navupdaters.exe
O4 - HKCU\..\Run: [Windows Sound Manager] SndMon32.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Free History Eraser\HistoryEraser.exe" /stealt
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Windows Update Auto Update] wuaumgr.exe
O4 - HKCU\..\Run: [Messanger] trillian.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\RunOnce: [Windows Sound Manager] SndMon32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O21 - SSODL: mtklefa - {88333D5B-4E29-412C-04A2-3ABA003236C2} - C:\WINDOWS\System32\niuysc32.dll
O21 - SSODL: mtklefap - {9B25DB34-F38C-42E1-FBBC-F0547CCDA84A} - C:\WINDOWS\System32\kboovh32.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

BC AdBot (Login to Remove)

 


#2 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:45 AM

Posted 04 February 2005 - 12:27 PM

Hi hiss3141,

I'm looking at your log now and I'll get back to you shortly.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#3 hiss3141

hiss3141
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 06 February 2005 - 10:40 AM

how are ya making out with the log Joe? thanks

#4 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:45 AM

Posted 06 February 2005 - 11:09 AM

Sorry for the delay, I have to get my posts approved by a senior adviser so hence the delay. They appear to be very busy right now but I'm sure it won't be much longer.

Be assured we haven't forgotten you.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#5 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:45 AM

Posted 06 February 2005 - 11:49 AM

Hi hiss3141,

You may want to print these instructions, since you're closing your Web Browser during the fix.

You have a seriously infected Computer.

Please run the following online scans and let them fix everything they find:

HOUSECALL and ONLINE TROJANSCAN
Or alternatively:
Bitdefender and and Sygate Trojan Scan

Go to Start -> Run and type Services.msc, then press the OK button. Look for a service called ZESOFT. Double click on that service and press the Stop button, and then set the Startup type to Disabled. Press OK, and close all the windows.

Open Hijackthis, take another scan and place a checkmark next to all these entries that are still present.

O4 - HKLM\..\Run: [Microsoft Update] winsys32.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [NAV Auto Updates] navupdaters.exe
O4 - HKLM\..\Run: [Windows Sound Manager] SndMon32.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [dkMS] C:\WINDOWS\aknnkb.exe
O4 - HKLM\..\Run: [XML Service] msxml.exe
O4 - HKLM\..\Run: [Windows Update Auto Update] wuaumgr.exe
O4 - HKLM\..\Run: [LsasS] Sygate.exe
O4 - HKLM\..\Run: [Messanger] trillian.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] navupdaters.exe
O4 - HKLM\..\RunServices: [Windows Sound Manager] SndMon32.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [XML Service] msxml.exe
O4 - HKLM\..\RunServices: [Windows Update Auto Update] wuaumgr.exe
O4 - HKLM\..\RunServices: [LsasS] Sygate.exe
O4 - HKLM\..\RunServices: [Messanger] trillian.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunOnce: [Windows Sound Manager] SndMon32.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [NAV Auto Updates] navupdaters.exe
O4 - HKCU\..\Run: [Windows Sound Manager] SndMon32.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [Windows Update Auto Update] wuaumgr.exe
O4 - HKCU\..\Run: [Messanger] trillian.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\RunOnce: [Windows Sound Manager] SndMon32.exe
O21 - SSODL: mtklefa - {88333D5B-4E29-412C-04A2-3ABA003236C2} - C:\WINDOWS\System32\niuysc32.dll
O21 - SSODL: mtklefap - {9B25DB34-F38C-42E1-FBBC-F0547CCDA84A} - C:\WINDOWS\System32\kboovh32.dll
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Close all open Windows except Hijackthis and click on "fix Checked".

* Reboot into SAFE MODE. (very important!!)

To get into the Windows XP Safe mode:
As the Computer is booting, start tapping the "F8 key" before WinXP starts loading, which should bring up the "Windows Advanced Options Menu".
Use your arrow keys to move to "Safe Mode without internet connection" and press your Enter key.

* Enable the ”Show Hidden Files and Folders” option:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select "Show hidden files and folders".
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files (recommended)"
Click Yes to confirm.
Click OK.

* Navigate to and delete the following Files/Folders if present:

C:\WINDOWS\System32\niuysc32.dll <<<---
C:\WINDOWS\System32\kboovh32.dll <<<---

Reboot the Computer in normal mode, then click the "AddReply" button top right in this post and post a new log in this thread for further review and evaluation.

Do you know what this entry is? Do not remove it.
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\ttukpu.exe

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#6 hiss3141

hiss3141
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 07 February 2005 - 01:14 PM

I appreciate the help very much, but i think im just going to format and reinstall XP since its in such bad shape, and i want to be sure i get rid of it all, thanks again!

#7 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:45 AM

Posted 08 February 2005 - 03:55 PM

Hi hiss3141,


I appreciate the help very much, but i think im just going to format and reinstall XP since its in such bad shape, and i want to be sure i get rid of it all, thanks again!



I understand how you feel but a clean install is normall a last resort. We've see logs much worse than that so if you change your mind post back and let us know.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users