Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this Log: Please Helo Diagnose


  • This topic is locked This topic is locked
2 replies to this topic

#1 tward

tward

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 01 March 2005 - 02:56 PM

Hello all,

I am using Hijack This for the first time on my wifes computer. Windows 2000 that was logged in as Admin when it got hammered. Needless to say I have been unable to clean it up with ad-aware and MS AntiSpyWare. Please review my log file and help me with the appropriate "Bad Boys". Thanks

Tom

Sorry::


Logfile of HijackThis v1.99.1
Scan saved at 12:29:15 PM, on 3/1/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
C:\Program Files\Computer Associates\InoculateIT\InoRT.exe
C:\Program Files\Computer Associates\InoculateIT\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\vyyag.exe
C:\WINNT\System32\Dqwsve.exe
C:\WINNT\System32\Xsuinv.exe
C:\WINNT\System32\UpdateXPSP.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Hijack This\HijackThis.exe
C:\Program Files\ISTsvc\istsvc.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 5 Suite Eval\fplaunch.dll
O2 - BHO: SDWin32 Class - {F71EE20C-98E8-46CA-B89E-64AB21705720} - C:\WINNT\System32\lemzu.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DlVv] C:\WINNT\vyyag.exe
O4 - HKLM\..\Run: [version] C:\WINNT\System32\Dqwsve.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\System32\Xsuinv.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\Computer Associates\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [USB 2.0 Driver] UpdateXPSP.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [0/4}<oUC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\vyyag.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [USB 2.0 Driver] UpdateXPSP.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bullseye-network.net/cashback/c...033_ICMEDIA.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\..\{24334572-8F3D-4BD1-B36C-AB0FBE60338E}: NameServer = 12.32.34.32 12.32.34.33
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
O23 - Service: InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoRT.exe
O23 - Service: InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe (file missing)

Edited by tward, 01 March 2005 - 03:15 PM.


BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:21 AM

Posted 03 March 2005 - 01:28 PM

Hello Tward and welcome to Bleepingcomputer.


Your log contains one or more viruses or remnants of those viruses. It is important to keep your installed antivirus program up to date and to do a full system scan periodically.

Please do an online virus scan at these two sites:
TrendMicro Housecall
Panda ActiveScan

Allow the online scans to remove anything they find. Report anything that they can not remove.


Let's first try to remove the ISTBar & Components by use the Symantec removal Tool available at:
http://sarc.com/avcenter/venc/data/adware.istbar.html
Follow Symantec's instructions for how to run it.


You have Microsoft AntiSpyware running. This program may interfer with the changes we are going to make using HijackThis. Please disable MSAS for the duration of this fix.


Configure Windows to enable viewing of Hidden and System files.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O2 - BHO: SDWin32 Class - {F71EE20C-98E8-46CA-B89E-64AB21705720} - C:\WINNT\System32\lemzu.dll (file missing)

O4 - HKLM\..\Run: [DlVv] C:\WINNT\vyyag.exe
O4 - HKLM\..\Run: [version] C:\WINNT\System32\Dqwsve.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\System32\Xsuinv.exe
O4 - HKLM\..\Run: [USB 2.0 Driver] UpdateXPSP.exe
O4 - HKLM\..\Run: [0/4}<oUC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\vyyag.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [USB 2.0 Driver] UpdateXPSP.exe

O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bullseye-network.net/cashback/c...033_ICMEDIA.cab

O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe (file missing)

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders if found:

C:\WINNT\vyyag.exe <--File
C:\WINNT\zeta.exe <--File
C:\WINNT\System32\lemzu.dll <--File
C:\WINNT\System32\Dqwsve.exe <--File
C:\WINNT\System32\Xsuinv.exe <--File
C:\Program Files\ISTsvc\ <--Folder

Use Windows Search to locate the following file and delete it:

UpdateXPSP.exe

If any of these resist being deleted, boot into Safe Mode and try from there. Then reboot back into normal mode.


Please reboot and post a new HJT log.
Derfram
~~~~~~

#3 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:21 AM

Posted 17 March 2005 - 02:27 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users