Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijack this log


  • This topic is locked This topic is locked
9 replies to this topic

#1 desertcarr

desertcarr

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 01 April 2005 - 03:01 PM

I am having problems with a very slow computer using up all the memory. I have over 520 mb RAM memory but can't run WordPerfect and the printer at the same time. There seems to be too many things automatically that turn on. I have tried eliminating programs in the start up, but still have the problem. I also have times when my favorites list is added to w/o my input and icons added to my desktop. I run spyware and adware, have a firewall. I also have problems removing a couple of my software programs. I get an error message that doesn't allow me to take the program off. Thanks for your suggestions.

Logfile of HijackThis v1.99.1
Scan saved at 12:55:21 PM, on 4/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Webshots\Launcher.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xbsffeqointh.info/lxFx0I7MkO84/...Qr514iZ3Rdb.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com/"); (C:\Documents and Settings\bonnie\Application Data\Mozilla\Profiles\default\p02u5hyk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\bonnie\Application Data\Mozilla\Profiles\default\p02u5hyk.slt\prefs.js)
O2 - BHO: (no name) - {1AAAF363-4253-668F-855B-B41DDF3DE0BB} - C:\DOCUME~1\bonnie\APPLIC~1\CHINSE~1\WEBFORK.exe
O2 - BHO: (no name) - {416906C5-DF8D-62D7-D362-AFFB1BE87877} - C:\PROGRA~1\CHINSE~1\WEBFORK.exe (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [sixthdupemetapop] C:\Documents and Settings\All Users\Application Data\ProxyCreativeSixthDupe\testgreat.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKCU\..\Run: [ROAD POKE] C:\DOCUME~1\bonnie\APPLIC~1\AUDIOT~1\interliteroam.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Launch High Impact eMail 3.0 - {670F87A1-88B0-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: (no name) - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra 'Tools' menuitem: Launch High Impact eMail 3.0 - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O15 - Trusted Zone: http://*.foodnetwork.com
O15 - Trusted Zone: http://download.zonelabs.com
O16 - DPF: SwiftWebInstall Class - http://media.affinitymedia.com/offer/insta...tWebInstall.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {399CB6C4-7312-11D2-B4D9-00105A0422DF} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2106165E-2493-4F37-AD01-59CDD0C5EFB4}: NameServer = 24.116.0.154,24.116.0.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{2106165E-2493-4F37-AD01-59CDD0C5EFB4}: NameServer = 24.116.0.154,24.116.0.202
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:03:50 AM

Posted 01 April 2005 - 03:25 PM

Hello desertcarr and welcome to BleepingComputer.


Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

dir c:\windows\tasks /a > sched.txt
echo ------- >> sched.txt
attrib c:\windows\tasks\*.* >> sched.txt
notepad sched.txt
del sched.txt

Select 'Save as type:' as All Files,
Save the file to the desktop as sched.bat. Close Notepad.


Configure Windows to enable viewing of Hidden and System files.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xbsffeqointh.info/lxFx0I7MkO84/...Qr514iZ3Rdb.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {1AAAF363-4253-668F-855B-B41DDF3DE0BB} - C:\DOCUME~1\bonnie\APPLIC~1\CHINSE~1\WEBFORK.exe
O2 - BHO: (no name) - {416906C5-DF8D-62D7-D362-AFFB1BE87877} - C:\PROGRA~1\CHINSE~1\WEBFORK.exe (file missing)

O4 - HKLM\..\Run: [sixthdupemetapop] C:\Documents and Settings\All Users\Application Data\ProxyCreativeSixthDupe\testgreat.exe
O4 - HKCU\..\Run: [ROAD POKE] C:\DOCUME~1\bonnie\APPLIC~1\AUDIOT~1\interliteroam.exe

O15 - Trusted Zone: http://*.foodnetwork.com
O15 - Trusted Zone: http://download.zonelabs.com

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders if found:

C:\PROGRA~1\CHINSE~1\WEBFORK.exe <--File
C:\DOCUME~1\bonnie\APPLIC~1\CHINSE~1\WEBFORK.exe <--File

C:\DOCUME~1\bonnie\APPLIC~1\AUDIOT~1\ <--Folder that begins with 'Audiot'
C:\Documents and Settings\All Users\Application Data\ProxyCreativeSixthDupe\ <--Folder

If any of these resist being deleted, boot into Safe Mode and try from there.


Double click on sched.bat previously saved to your desktop and a notepad file should open. Copy the contents of that file to your next post along with a fresh HJT log.
Derfram
~~~~~~

#3 desertcarr

desertcarr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 01 April 2005 - 11:39 PM

Thanks for your help. This is what I have now.

Volume in drive C has no label.
Volume Serial Number is E0E6-56DA

Directory of c:\windows\tasks

03/25/2005 10:54 AM <DIR> .
03/25/2005 10:54 AM <DIR> ..
04/01/2005 09:00 PM 236 A43051F49187C668.job
04/01/2005 09:00 PM 268 A990444191B3FFED.job
04/01/2005 09:00 PM 236 AFD693399185045D.job
08/23/2001 05:00 AM 65 desktop.ini
03/27/2005 02:00 PM 262 Disk Cleanup.job
04/01/2005 09:30 PM 6 SA.DAT
03/31/2005 04:00 PM 404 {16010007-8F9B-40C6-B8AB-5EA9389FB54D}_HOME-DESKTOP_bonnie.job
03/25/2005 04:00 PM 404 {E1AD6BB1-4F58-4C3A-9C09-D8C38C1A3CD3}_HOME-DESKTOP_bonnie.job
03/31/2005 09:00 AM 404 {F11169B7-371D-4112-881C-8405631DED05}_HOME-DESKTOP_bonnie.job
9 File(s) 2,285 bytes
2 Dir(s) 14,542,999,552 bytes free
-------
A H C:\windows\tasks\A43051F49187C668.job
A H C:\windows\tasks\A990444191B3FFED.job
A H C:\windows\tasks\AFD693399185045D.job
HR C:\windows\tasks\desktop.ini
A C:\windows\tasks\Disk Cleanup.job
A H C:\windows\tasks\SA.DAT
A H C:\windows\tasks\{16010007-8F9B-40C6-B8AB-5EA9389FB54D}_HOME-DESKTOP_bonnie.job
A H C:\windows\tasks\{E1AD6BB1-4F58-4C3A-9C09-D8C38C1A3CD3}_HOME-DESKTOP_bonnie.job
A H C:\windows\tasks\{F11169B7-371D-4112-881C-8405631DED05}_HOME-DESKTOP_bonnie.job

Logfile of HijackThis v1.99.1
Scan saved at 9:35:20 PM, on 4/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.csemebifovbzlggckzx.biz/lxFx0I7...gr514iZ3Rdb.php
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com/"); (C:\Documents and Settings\bonnie\Application Data\Mozilla\Profiles\default\p02u5hyk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\bonnie\Application Data\Mozilla\Profiles\default\p02u5hyk.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Launch High Impact eMail 3.0 - {670F87A1-88B0-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: (no name) - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra 'Tools' menuitem: Launch High Impact eMail 3.0 - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: SwiftWebInstall Class - http://media.affinitymedia.com/offer/insta...tWebInstall.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {399CB6C4-7312-11D2-B4D9-00105A0422DF} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2106165E-2493-4F37-AD01-59CDD0C5EFB4}: NameServer = 24.116.0.154,24.116.0.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{2106165E-2493-4F37-AD01-59CDD0C5EFB4}: NameServer = 24.116.0.154,24.116.0.202
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:03:50 AM

Posted 02 April 2005 - 12:58 AM

Looks like we've got three hidden tasks that don't belong there.


Open Notepad, copy & paste the following into Notepad:

attrib -h C:\windows\tasks\A43051F49187C668.job
attrib -h C:\windows\tasks\A990444191B3FFED.job
attrib -h C:\windows\tasks\AFD693399185045D.job
del C:\windows\tasks\A43051F49187C668.job
del C:\windows\tasks\A990444191B3FFED.job
del C:\windows\tasks\AFD693399185045D.job
dir c:\windows\tasks /a > sched.txt
attrib c:\windows\tasks\*.* >> sched.txt
notepad sched.txt
del sched.txt

As before, save it to your desktop as Remjob.bat. Close Notepad.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.csemebifovbzlggckzx.biz/lxFx0I7...gr514iZ3Rdb.php

With ALL OTHER WINDOWS CLOSED, click on Fix Checked. Close HJT.

Reboot.


Run Remjob.bat by double clicking on it.

Post the resulting text file in your next post along with a new HJT log.
Derfram
~~~~~~

#5 desertcarr

desertcarr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 02 April 2005 - 06:03 PM

Thanks again for your help.

Volume in drive C has no label.
Volume Serial Number is E0E6-56DA

Directory of c:\windows\tasks

04/02/2005 03:59 PM <DIR> .
04/02/2005 03:59 PM <DIR> ..
08/23/2001 05:00 AM 65 desktop.ini
03/27/2005 02:00 PM 262 Disk Cleanup.job
04/02/2005 03:57 PM 6 SA.DAT
03/31/2005 04:00 PM 404 {16010007-8F9B-40C6-B8AB-5EA9389FB54D}_HOME-DESKTOP_bonnie.job
03/25/2005 04:00 PM 404 {E1AD6BB1-4F58-4C3A-9C09-D8C38C1A3CD3}_HOME-DESKTOP_bonnie.job
03/31/2005 09:00 AM 404 {F11169B7-371D-4112-881C-8405631DED05}_HOME-DESKTOP_bonnie.job
6 File(s) 1,545 bytes
2 Dir(s) 14,520,664,064 bytes free
HR C:\windows\tasks\desktop.ini
A C:\windows\tasks\Disk Cleanup.job
A H C:\windows\tasks\SA.DAT
A H C:\windows\tasks\{16010007-8F9B-40C6-B8AB-5EA9389FB54D}_HOME-DESKTOP_bonnie.job
A H C:\windows\tasks\{E1AD6BB1-4F58-4C3A-9C09-D8C38C1A3CD3}_HOME-DESKTOP_bonnie.job
A H C:\windows\tasks\{F11169B7-371D-4112-881C-8405631DED05}_HOME-DESKTOP_bonnie.job


Logfile of HijackThis v1.99.1
Scan saved at 4:02:58 PM, on 4/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Hijack This\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.msn.com/"); (C:\Documents and Settings\bonnie\Application Data\Mozilla\Profiles\default\p02u5hyk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\bonnie\Application Data\Mozilla\Profiles\default\p02u5hyk.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Launch High Impact eMail 3.0 - {670F87A1-88B0-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: (no name) - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra 'Tools' menuitem: Launch High Impact eMail 3.0 - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: SwiftWebInstall Class - http://media.affinitymedia.com/offer/insta...tWebInstall.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {399CB6C4-7312-11D2-B4D9-00105A0422DF} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2106165E-2493-4F37-AD01-59CDD0C5EFB4}: NameServer = 24.116.0.154,24.116.0.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{2106165E-2493-4F37-AD01-59CDD0C5EFB4}: NameServer = 24.116.0.154,24.116.0.202
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:03:50 AM

Posted 02 April 2005 - 11:12 PM

Both logs are now free of malware. Is the machine running a bit better?
Derfram
~~~~~~

#7 desertcarr

desertcarr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 03 April 2005 - 05:40 PM

Absolutely much better. Thank you so much for your help.

#8 desertcarr

desertcarr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 03 April 2005 - 05:42 PM

I forgot to ask if it's okay to remove the .bat folders from my desktop. Thanks again.

#9 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:03:50 AM

Posted 03 April 2005 - 07:09 PM

Yes, go ahead and remove those .bat file.

Now that you are clean, please follow these steps in order to keep your computer safe and secure:
Simple and easy ways to keep your computer safe and secure on the Internet
Derfram
~~~~~~

#10 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:03:50 AM

Posted 09 April 2005 - 10:12 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users