Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log post -- help, days lost already!


  • This topic is locked This topic is locked
19 replies to this topic

#1 leehamster

leehamster

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 01 March 2005 - 06:24 AM

I run adaware, spybot, norton a-v, and have downloaded and used spysweeper. No dice. Any advice? Thanks very much -- this has affected my professional and family computer usage dramatically.

leehamster

Logfile of HijackThis v1.99.1
Scan saved at 3:05:47 AM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system\jipdegtwub.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\default\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [juhako] c:\windows\system32\juhako.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitejky32.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://www.vivo.com/dldv2/vvweb.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F51E426-6EED-11D3-80B8-00C04F610DBB} (WebTransferCtrl Class) - http://insideleboeuf.llgm.com/worksite/bin/iManFile.cab
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 01 March 2005 - 07:52 AM

Hello Lee, Welcome to BleepingComputer. If you still need some help, I would like you to follow these instructions.

1) I wish to check for any hidden CWSearch infections. Download, save to the desktop, update and FIX not scan. Allow the CWShredder to run until finished. Let me know it it finds anything.
http://www.softpedia.com/get/Internet/Popu...WShredder.shtml

2) Please read the instructions in this Symantec link, download and run the Symantec Adware.Websearch tool.
http://sarc.com/avcenter/venc/data/adware.websearch.html

3) Your HJT.exe is running from a temporary zip file. We need it in a permanent folder to save backups for safety and logs. I suggest opening your C:\ then right click on a blank spot and make a NEW FOLDER. Call it HJT, then move the HJT.exe into that folder. Delete any instance of HJT like the zip that is not in that folder. If you need more information this link will help: http://russelltexas.com/malware/faqhijackthis.htm

4) This is a random named trojan that is running on your computer: C:\WINDOWS\system\jipdegtwub.exe. Open your task manager and under the Processes Tab, end process on this item.

5) Files we have to remove may be hidden by these malware writers. Use the instructions in the follow link to enable hidden files:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

6) SPECIAL INSTRUCTIONS: This item in running on your computer: O4 - HKLM\..\Run: [juhako] c:\windows\system32\juhako.exe. There is little information and I believe it is bad and will remove it UNLESS you specifically know what it is. If so, pass over the item in the removal instructions and let me know what this item is. You are running SpySweeper and it may try to stop the Fix with HJT. You will need to turn it off until you have finished the fix. You also have two restrictions set that appear as 06 items in the log. I will schedule them for removal. If you set the restrictions and wish them to remain, pass over those lines.

7) Some of the items I am going to list may have been removed by the tools earlier. If you do not see something, continue through the instructions, just do not miss anything.

8) Scan with HijackThis and check the box in front of these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [juhako] c:\windows\system32\juhako.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitejky32.exe
Troj/Dloader-HW
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
-FunWebProducts

Close all programs but HJT and all browser windows then click on "Fix Checked"

Make sure you have enabled hidden files then RIGHT Click on Start and click on Explore. Locate and delete these files:

C:\WINDOWS\system\jipdegtwub.exe >>> file

c:\windows\system32\juhako.exe >>> file

C:\windows\system32\elitejky32.exe >>> file

Empty the recycle bin and restart the computer. Stay in this same thread using Add Reply, post a new log along with the information requested from the scans. Your comments and feedback are very important.

Thanks...pskelley
BleepingComputer.com
http://www.bleepingcomputer.com/supportus.php

Edited by pskelley, 01 March 2005 - 07:54 AM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 leehamster

leehamster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 01 March 2005 - 06:31 PM

Thanks very much. I'm working my way through your advice (while my computer slows to a walk with popups).

Downloaded HJT to its own directory.

CWShredder found no CWS. It did say it fixed 3 IE pages.

#4 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 01 March 2005 - 06:38 PM

Thanks for the information, at least we have ruled out CWS. I will be notified when you post, I am not always available but will get back to you as soon as possible. pskelley

As a second thought I am going to give you a couple of free online scans. You might try one of them as your log does display trojans. I would wait until you have cleaned up enough that you have some speed before executing them, hoping you are on highspeed internet of some kind.

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/co...n_principal.htm

Edited by pskelley, 01 March 2005 - 06:43 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 leehamster

leehamster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 01 March 2005 - 07:12 PM

I've got hidden items visible.

I have deleted jibdegtwub.exe from Task Manager processes. I've done this before, but did it again now. It's gone for now.

Downloaded Adware.websearch tool. It took a long time to run.

juhako.exe -- I'm assuming bad too. I've tried to remove before, have not succeeded. I didn't put it there (knowingly :thumbsup: ).

Shutting down spysweeper.

I did not knowingly put the 06 restrictions in, so let's take them out.

#6 leehamster

leehamster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 01 March 2005 - 07:17 PM

symantec adware.websearch tool "deleted 30 threats" and "fixed 20 registry entries"

moving on to the other tools you provided. System running faster no, no popups currently.

thanks, thanks, thanks

#7 leehamster

leehamster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 02 March 2005 - 06:14 AM

Just giving status as this progresses.

trend micro house call found
10 viruses
0 worm/trojans
21 spyware
2 MIcrosoft vulnerabilities

at recovery

2 spyware removed
2 vulnerabilities detected

Some popups still, but I can delete them now as the pop up.

#8 leehamster

leehamster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 02 March 2005 - 07:10 AM

Ran HJT.

Logfile of HijackThis v1.99.1
Scan saved at 3:58:46 AM, on 3/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O4 - HKLM\..\Run: [juhako] c:\windows\system32\juhako.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitejky32.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://www.vivo.com/dldv2/vvweb.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F51E426-6EED-11D3-80B8-00C04F610DBB} (WebTransferCtrl Class) - http://insideleboeuf.llgm.com/worksite/bin/iManFile.cab
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Then I fixed as you suggested.

Now can't find

C:\WINDOWS\system\jipdegtwub.exe >>> file

c:\windows\system32\juhako.exe >>> file

C:\windows\system32\elitejky32.exe >>> file

There is a c:\windows\system32\ shortcut to juhako as an MSDOS file. 3K. I deleted it though.

#9 leehamster

leehamster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 02 March 2005 - 07:17 AM

Pop ups still coming, though again slowly and I'm able to close out of them.

Logfile of HijackThis v1.99.1
Scan saved at 4:13:11 AM, on 3/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitejky32.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F51E426-6EED-11D3-80B8-00C04F610DBB} (WebTransferCtrl Class) - http://insideleboeuf.llgm.com/worksite/bin/iManFile.cab
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I fixed O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitejky32.exe again.

Then went to look, and didn't see it in c:\windows\system32\.

Pop ups still coming, same.

Any other thoughts? I'm going to run Norton AV scan now for the heck of it.

#10 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 02 March 2005 - 08:26 AM

Good morning,

Any other thoughts? I'm going to run Norton AV scan now for the heck of it.


Yep, I think things are looking a lot better. We still have one item that has to go. It looks like this:
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitejky32.exe I am also going to remove the two DPF (Downloaded Program Files) you installed to run online scans. Once clean, if you ever need them again it is better to download them again, and you will be prompted to do so if you visit the site. Here is some information about this article.
http://www.bleepingcomputer.com/startups/e...2.exe-7196.html and
http://computercops.biz/postt106907.html So now you can understand the nature of this beast. Since the information indicates we are not going to remove it with HJT, then we will use this method. First we will run DllCompare, follow these instructions and post the log for me.

Remove as much as possible using Ad-aware with the most recent reference file. reboot and have these 2 utilities ready.
Dllcompare (version(1.0.0.127)which will scan for locked files created by VX2)
and
Killbox (version 2.0.0.76, which will be responsible for removing the files found)

Using DllCompare

Copy the dllcompare.exe to your desktop, don't just run it from the download site.
it is preset to scan the System32 directory, so nothing other than you clicking the [Run locate.com] button is required.
When the scan is complete, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the [Compare] button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete *in blue Completed
Click the button [Make a Log of what was Found]

The links to DllCompare and Killbox are in here:
http://computercops.biz/postt106907.html
Post that log for me once we establish the name of the item, then we will use the KillBox to delete it. I will hold the last run of HJT until this item is gone.
Thanks...pskelley
BleepingComputer.com

Edited by pskelley, 02 March 2005 - 08:31 AM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#11 leehamster

leehamster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 02 March 2005 - 09:30 AM

Here is the log.

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\oleaut32.dll Wed Aug 4 2004 12:56:44a A.SH. 553,472 540.50 K
C:\WINDOWS\SYSTEM32\olepro32.dll Wed Aug 4 2004 12:56:44a A.SH. 83,456 81.50 K
C:\WINDOWS\SYSTEM32\msvcrt.dll Wed Aug 4 2004 12:56:44a A.SH. 343,040 335.00 K
C:\WINDOWS\SYSTEM32\msvcp60.dll Wed Aug 4 2004 12:56:44a A.SH. 413,696 404.00 K
C:\WINDOWS\SYSTEM32\msvcirt.dll Wed Aug 4 2004 12:56:44a A.SH. 54,784 53.50 K
C:\WINDOWS\SYSTEM32\mfc42.dll Wed Aug 4 2004 12:56:42a A.SH. 1,028,096 1004.00 K
________________________________________________

1,594 items found: 1,594 files (6 H/S), 0 directories.
Total of file sizes: 358,044,669 bytes 341.46 M

Administrator Account = True

--------------------End log---------------------

#12 leehamster

leehamster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 03 March 2005 - 01:38 PM

If you have a moment, pskelley, please let me know what to delete with Killbox. Thanks. Liam

#13 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 03 March 2005 - 02:28 PM

Hello Liam, Please post a new log for me, Thanks...pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#14 leehamster

leehamster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 03 March 2005 - 06:18 PM

Sure, here you go:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\oleaut32.dll Wed Aug 4 2004 12:56:44a A.SH. 553,472 540.50 K
C:\WINDOWS\SYSTEM32\olepro32.dll Wed Aug 4 2004 12:56:44a A.SH. 83,456 81.50 K
C:\WINDOWS\SYSTEM32\msvcrt.dll Wed Aug 4 2004 12:56:44a A.SH. 343,040 335.00 K
C:\WINDOWS\SYSTEM32\msvcp60.dll Wed Aug 4 2004 12:56:44a A.SH. 413,696 404.00 K
C:\WINDOWS\SYSTEM32\msvcirt.dll Wed Aug 4 2004 12:56:44a A.SH. 54,784 53.50 K
C:\WINDOWS\SYSTEM32\mfc42.dll Wed Aug 4 2004 12:56:42a A.SH. 1,028,096 1004.00 K
________________________________________________

1,594 items found: 1,594 files (6 H/S), 0 directories.
Total of file sizes: 358,044,669 bytes 341.46 M

Administrator Account = True

--------------------End log---------------------

#15 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 03 March 2005 - 06:22 PM

Yo Liam, I am sorry, it is a new HijackThis log I need. Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users