Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Log


  • This topic is locked This topic is locked
8 replies to this topic

#1 good morning

good morning

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 19 April 2005 - 10:39 AM

Logfile of HijackThis v1.99.1
Scan saved at 11:38:03 AM, on 4/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\a2\a2guard.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.keystonehighschool.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://keystonehighschool.com/
O2 - BHO: SDWin32 Class - {3B19FACD-ED28-4A09-A068-A641E36B0BFA} - C:\WINDOWS\System32\gyvfj.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [Mo55Rgc8R] arpninst.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://download.35mb.com/images/dlapplet.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DB9EA424-4709-4614-86E8-B80BDA957841} (BomLoadCtl Class) - https://www.theymightbedownloads.com:8543/a...vex/bomload.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Thanks :thumbsup:

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 20 April 2005 - 02:10 PM

Well hello GM and welcome to BleepingComputer. First, like when you go to your Doctor and he says "what hurts" when you go to a puter doctor it helps them to know what problem you are having. Thanks.
If you still need some help, please follow these directions:

This one is optional but I think you will want it off your computer when you view the links. aol puts it there without asking, I scheduled removal, you may pass it over if you wish to keep the stuff.
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
http://www.kephyr.com/spywarescanner/libra...yer/index.phtml
http://computercops.biz/startuplist-4102.html
http://forums.net-integration.net/index.php?showtopic=13470

1) Open Add Remove programs then locate and uninstall:
Viewpoint or anything that looks like it
WildTangent if you see it
Any programs that you did not put there and want gone.

2) This item: O4 - HKCU\..\Run: [Mo55Rgc8R] arpninst.exe is running in your log and it does not identify, and we call that a random named trojan. If you know what it is, do not remove it and let me know. Otherwise we will remove it. Since it is not running in running processes, it is probably running from the Prefetch folder, so we will need to empty it.

3) Download CCleaner from this link: http://www.ccleaner.com/ Take the time to review the instructions on the download page so that when I ask you to run it you will know what you are doing.

4) You are running SpywareGuard and it will stop the HJT fix. Right click it in the System Tray and exit, I hope that does it. If you know of any other program you have that stop changes, please turn them off until you are done with HJT.

5) Open Hijack this and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: SDWin32 Class - {3B19FACD-ED28-4A09-A068-A641E36B0BFA} - C:\WINDOWS\System32\gyvfj.dll (file missing)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [Mo55Rgc8R] arpninst.exe
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
-TrojanDownloader.OTXloader.AO16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://download.35mb.com/images/dlapplet.cab
-ISTBar Variant

Close all programs but HJT and all browser windows, then click on "Fix Checked"

SHOW HIDDEN FILES: Follow the instructions in the link to enable hidden files for your operating system.
You may wish to reverse this process if you have any concern about anyone getting into these hidden system files.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\Viewpoint\ >>> folder
C:\Program Files\WildTangent\ >>> folder


While in Windows Explorer, Locate and delete all files in the C\Windows\Prefetch folder. Some items may not delete if they are running. HJT has stopped the bad item from running, just make sure this item: arpninst.exe is gone.
Empty all Temp folders (not the folder just the content, and dump all temp internet files, here is information if it helps:
http://techrepublic.com.com/5100-6270-5165773.html
http://www.personal-computer-tutor.com/deletingtempfiles.htm

Since we removed some, let's check for trojans, run this free online scan, scan the whole system and set it to clean or fix anything it locates. Let me know what it finds and the exact name and location of anything it locates but can't remove. You may be asked to install an ActiveX, please do so as this program is safe and it can not run without it.
http://www.windowsecurity.com/trojanscan/

Run CCleaner then restart the computer and post a new log in this same thread along with any feedback you have. Let us know how you are running.

Thanks...pskelley
HJT Team


PURGE SYSTEM RESTORE
When you are completely finished with the removal procedure and are satisfied that the threat has been removed follow these instruction:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 good morning

good morning
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 20 April 2005 - 08:26 PM

Thanks for the response. Sorry for the vagueness. :thumbsup: I was sent over here from another topic.

#4 good morning

good morning
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 21 April 2005 - 01:52 PM

Alright I followed your directions and this is my new log:

Logfile of HijackThis v1.99.1
Scan saved at 2:49:51 PM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Anvil Studio\astudio.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.keystonehighschool.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://keystonehighschool.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.bihira.com
O15 - Trusted Zone: *.georgepetrillo.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DB9EA424-4709-4614-86E8-B80BDA957841} (BomLoadCtl Class) - https://www.theymightbedownloads.com:8543/a...vex/bomload.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#5 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 21 April 2005 - 02:09 PM

Hello GM, and how's it running? Are you George? Reason I am asking is there are two new items in the "Trusted Zone"
O15 - Trusted Zone: *.bihira.com
O15 - Trusted Zone: *.georgepetrillo.com
If you placed them there that is fine, if not you will want to remove them as entries in this zone have much access to critical areas on your computer.

I also have an issue with the fact that you are running Selective Startup and I can't see what is disabled in MSCONFIG. Folks often think if they disable bad stuff it goes away...lol. If you know what the two trusted zone items are, and you know for a fact that nothing you have disabled in MSCONFIG is malware, then you have a clean log. If not, give me another log explaining the "Trusted Zone" items, and with MSCONFIG all enabled. You do not have to boot, you can run HJT, then go back to Selective Startup.

If we have no issues above then here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.net-integration.net/index.php?showtopic=3051
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

Good luck and safe surfing
Thanks...pskelley
HJT Team
BleepingComputer.com
http://www.bleepingcomputer.com/supportus.php
If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#6 good morning

good morning
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 21 April 2005 - 02:33 PM

Thanks for the response. The reason I came here originally is because certain sites give me "This Page Cannot be Displayed," so I asked and they said to post a log. The two sites in the trusted zones are the main sites I can't get to. Bihira.com is my host and GeorgePetrillo.com is my site. In MSConfig I just disabled the auto start for Quicktime. I still can't access the sites, but my computer is definitely running better. Thanks again.

#7 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 21 April 2005 - 02:54 PM

Internet Explorer > Tools > Internet Options:

Some sites require cookies be enabled also, under the Privacy Tab, the Edit button, make sure their cookies are not blocked. You may even want to add their name and make sure it says "Always Allow". Other than that, adding them to Trusted Sites on the Security Tab is all I can think off the top of my head. I recently had an issue with my bank, and the cookies was what was blocking me...lol
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#8 good morning

good morning
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 21 April 2005 - 05:05 PM

That didn't work. Oh well...eventually something will...eventually. :thumbsup:

#9 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 28 April 2005 - 06:18 PM

Malware issues resolved.
pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users