Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

heres my log -- please help


  • This topic is locked This topic is locked
2 replies to this topic

#1 razman

razman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 10 March 2005 - 01:20 AM

Logfile of HijackThis v1.99.1
Scan saved at 12:20:00 AM, on 3/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Frih\Ejre.exe
C:\WINDOWS\System32\lsopdbug.exe
C:\WINDOWS\hhnt.exe
C:\WINDOWS\System32\packager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Common Files\GMT\GMT.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\java\Packages\basabr.exe
C:\WINDOWS\logon.exe
C:\WINDOWS\nsserv.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\Rar$EX00.282\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vzjllrcutvhmb.com/zD4/kJku8nwZD...h/2VVkP0gf.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.buldog-search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buldog-search.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 69.50.188.82 google.com
O1 - Hosts: 69.50.188.82 altavista.com
O1 - Hosts: 69.50.188.82 www.altavista.com
O1 - Hosts: 69.50.188.82 msn.com
O1 - Hosts: 69.50.188.82 www.msn.com
O1 - Hosts: 69.50.188.82 search.msn.com
O1 - Hosts: 69.50.188.82 search.yahoo.com
O1 - Hosts: 69.50.188.82 yahoo.com
O1 - Hosts: 69.50.188.82 www.yahoo.com
O1 - Hosts: 69.50.188.82 search.aol.com
O1 - Hosts: 69.50.188.82 askjeeves.com
O1 - Hosts: 69.50.188.82 www.askjeeves.com
O1 - Hosts: 69.50.188.82 www.directhit.com
O1 - Hosts: 69.50.188.82 directhit.com
O1 - Hosts: 69.50.188.82 www.excite.com
O1 - Hosts: 69.50.188.82 excite.com
O1 - Hosts: 69.50.188.82 alltheweb.com
O1 - Hosts: 69.50.188.82 www.alltheweb.com
O1 - Hosts: 69.50.188.82 go.com
O1 - Hosts: 69.50.188.82 www.go.com
O1 - Hosts: 69.50.188.82 goto.com
O1 - Hosts: 69.50.188.82 www.goto.com
O1 - Hosts: 69.50.188.82 hotbot.com
O1 - Hosts: 69.50.188.82 www.hotbot.com
O1 - Hosts: 69.50.188.82 lycos.com
O1 - Hosts: 69.50.188.82 www.lycos.com
O1 - Hosts: 69.50.188.82 dmoz.org
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {17A54BFC-8214-4F5C-B1A7-A161BFA5FDCC} - C:\PROGRA~1\XSOFTW~1\XPCSPY~1\IESpy.dll
O2 - BHO: CATLEvents Object - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\cbdopxe.dat
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\saca.dat
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\saca.dat
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\saca.dat
O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\dvdgepj.dat
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\bvrba.dat
O2 - BHO: (no name) - {DAC8BF1E-DC6B-6E6B-3141-D24B96E49656} - C:\DOCUME~1\JASONB~1\APPLIC~1\INTERN~1\Mpeg Meta.exe
O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\siiw.dat
O2 - BHO: CATLEvents Object - {EE98054D-7456-4B37-AD9C-0A25622757C4} - C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\cyek.dat
O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\saca.dat
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\rbasab.dat
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [System Check] Rundll32.exe SysDll32.dll,SystemCheck
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [acas] C:\WINDOWS\repair\acas.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [*acas] C:\WINDOWS\repair\acas.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [*inetlib] C:\WINDOWS\inetlib.exe
O4 - HKLM\..\Run: [*inetcab] C:\WINDOWS\Config\inetcab.exe
O4 - HKLM\..\Run: [*iisplay] C:\WINDOWS\assembly\iisplay.exe
O4 - HKLM\..\Run: [*vbmp3] C:\WINDOWS\java\vbmp3.exe
O4 - HKLM\..\Run: [*docfax] C:\WINDOWS\Microsoft.NET\docfax.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [*basabr] C:\WINDOWS\java\Packages\basabr.exe rerun
O4 - HKLM\..\RunOnce: [*waverbak] rundll32.exe C:\WINDOWS\Tasks\waverbak.dll,Initialize
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [CHIC MIX] C:\DOCUME~1\JASONB~1\APPLIC~1\BLEHDV~1\option owns mess.exe
O4 - HKCU\..\Run: [MSAgent] C:\WINDOWS\hhnt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\Tasks\infodoc.exe ren my_time:1110383292
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Aceclub.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - C:\Program Files\AceClub Casino\bin\IEExtension_AC.dll
O9 - Extra 'Tools' menuitem: Aceclub.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - C:\Program Files\AceClub Casino\bin\IEExtension_AC.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: Crazy Poker - {8A8A3162-B5FA-4c54-A862-4E62CBE8A255} - C:\Program Files\crazyvegasMPP\MPPoker.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.buldog-stats.com/adv/16/open.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/downlo...34006/lotto.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/dlhelper/ve...n7/dlhelper.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28177.cab
O20 - Winlogon Notify: basabr - C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\rbasab.dat
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: System Out (SystemOutService) - X Software, Inc. - C:\WINDOWS\System32\systemout.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

BC AdBot (Login to Remove)

 


#2 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:07:12 AM

Posted 16 March 2005 - 05:11 AM

Hi razman,

Sorry about the delay in getting to you. Your log indicates that you are seriously behind with your updates for Windows, we will need to fix this early on so that you don't become reinfected whilst we are fixing your machine. If you are still requiring help with these malware infections can you please do the following steps.
  • You are running HijackThis from a temporary folder. When run from a temporary folder, the backups HijackThis
    makes may accidentally get deleted, so please put HijackThis into a permanent folder.
    Full instructions on how to do this can be found here:Detailed Explanation
    Brief instructions to create a permanent folder are:
    • Click My Computer, then C:\
    • In the menu bar choose, File -> New -> Folder.
    • That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
    • Now you have C:\HJT\ folder.
    • Put your HijackThis.exe there.
  • You have a LOP infection that often comes together with Messenger Plus. To remove it we will try the simple way first ( thanks to Elrond and shelf life ).

    Go into the Control Panel and Then Add/Remove programs and remove any of the following software that is present. Don't reboot your machine if asked, we will do that later..Window Search
    Window Searching
    Lop.com
    LOP SEARCH
    Browser Enhancer
    Ultimate Browser Enhancer
  • Whilst you are still in Add/Remove programs. Double click on "Messenger Plus!" (or click on Remove)

  • The "Messenger Plus! - Setup" is now displayed. Click on the Uninstall button. Note: options displayed on the first screen are not related to the sponsor program.

  • The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. Once you enter the code, press Uninstall.

  • If you entered the code properly, the program will ask you to confirm that you want to uninstall. You must answer "Yes" to this question, else, you won't have another chance of uninstalling.

  • To complete the uninstallation, follow the instructions that are displayed (the first one is to close all your Internet Explorer windows, that's very important). When everything is complete, restart your computer and, hopefully voila one nasty infection is gone.

  • Run HijackThis and post a new log here using the Add Reply button. When you post back please let me know how things went and we can do the next steps to clean your machine.


#3 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:07:12 AM

Posted 30 March 2005 - 02:03 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users