Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Analyze HiJackThis Log please


  • Please log in to reply
8 replies to this topic

#1 jfariss1

jfariss1

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Georgia
  • Local time:01:31 AM

Posted 19 April 2005 - 09:37 PM

Hey,
Im trying to clean up a computer of my friends, could you guys analyze her hijackthis log and let me know what you find. Thanks, very much appreciated.


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HiJackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_5b67.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
O4 - HKLM\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WDrvr32SSL] qpws32.exe
O4 - HKLM\..\Run: [0ae4Xa7p0.exe] C:\documents and settings\sharon\local settings\temp\0ae4Xa7p0.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_5b67.dll"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [WDrvr32SSL] qpws32.exe
O4 - HKCU\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKCU\..\Run: [WDrvr32SSL] qpws32.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_5b67.dll"
O4 - HKCU\..\RunServices: [WDrvr32SSL] qpws32.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDD653DB-0F3C-4285-B3E5-632401A83F06}: NameServer = 204.127.202.19,216.148.227.79
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 April 2005 - 07:53 PM

Hi there, Jfariss1 and Welcome to the Bleping Compter!!

That log appears to be run from Safe Mode,was it??

Lets so this for a good start!!!

Run this Online Scan:
http://www.kaspersky.com/beta?product=161744315
Delete whatever it finds!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK.

Make Sure Normal Startup is Checked!!

Click Apply>>OK and Follow the Prompts to Restart,Make sure to Restart in Normal Mode and Scan with HijackThis again,Post those Results and Tell me what Kaspewrsky found!!

#3 jfariss1

jfariss1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Georgia

Posted 21 April 2005 - 05:05 PM

Hey Cretemonster
Thanks for the help, i am running Mozilla Firefox so i ran into a problem when i tried using the scanner. but i will go ahead and post a log in normal mode for you. Thanks again. let me know if there are any scanners i can use in firefox. thanks.


Logfile of HijackThis v1.99.1
Scan saved at 6:04:55 PM, on 4/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_5b67.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
O4 - HKLM\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WDrvr32SSL] qpws32.exe
O4 - HKLM\..\Run: [0ae4Xa7p0.exe] C:\documents and settings\sharon\local settings\temp\0ae4Xa7p0.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_5b67.dll"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [WDrvr32SSL] qpws32.exe
O4 - HKCU\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKCU\..\Run: [WDrvr32SSL] qpws32.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_5b67.dll"
O4 - HKCU\..\RunServices: [WDrvr32SSL] qpws32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDD653DB-0F3C-4285-B3E5-632401A83F06}: NameServer = 204.127.202.19,216.148.227.79
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 22 April 2005 - 11:20 AM

OK,looking at the last log,I see that Windows has never been updated,why is this?

Do you have the Original CD for Windows XP Handy,just in case some critical files come up missing!!!

Let me know and we will go from there!!

#5 jfariss1

jfariss1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Georgia
  • Local time:01:31 AM

Posted 23 April 2005 - 09:59 AM

Hey Cretemonster,
I am cleaning up a friends computer so im sorry it takes so long to respond. i appreciate your patience. I asked her if she knew where her original windows CD is and i am pretty sure we wont be able to find it, but i have my windows cd which is windows xp home edition, but i think she is running windows xp professional. Let me know if i could use my CD. I am not sure why she hasnt updated windows, do you mean online like through windows update on their website or do you mean another way? Let me know what i can do from here, in the mean time ill continue to look for her CD but probably will have no luck. Thanks again.

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 April 2005 - 01:35 PM

OK,Lets get started cleaning up this PC,we can worry about Updates after its clean!!

Download Pocket KillBox from here:
http://www.bleepingcomputer.com/files/killbox.php
There is a Direct Download and a description of what the Program does inside this link.
Download,UnZip,Extract All Files and Have it ready to Use!


Download Microsoft AntiSpyware:
http://www.bleepingcomputer.com/forums/How...ware-tut98.html
There is a Direct Download and a Tutorial on how to use it!
Download,UnZip,Extract All Files and Have it ready to Use!

Download the Hoster from here:
http://www.funkytoad.com/download/hoster.zip
Press "Restore Original Hosts" and press "OK". Exit Program.
This will restore the original deleted Hosts file.


Go to Add\Remove Programs and Remove:

Viewpoint
Lycos Sidesearch
NavHelper
InstaFinderK
SafeGuard Protect PCShield


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R3 - Default URLSearchHook is missing

O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL

O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_5b67.dl
l
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)

O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe

O4 - HKLM\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe

O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe

O4 - HKLM\..\Run: [WDrvr32SSL] qpws32.exe

O4 - HKLM\..\Run: [0ae4Xa7p0.exe] C:\documents and settings\sharon\local settings\temp\0ae4Xa7p0.exe

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_5b67.dll"

O4 - HKLM\..\RunServices: [WDrvr32SSL] qpws32.exe

O4 - HKCU\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe

O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O4 - HKCU\..\Run: [WDrvr32SSL] qpws32.exe

O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_5b67.dll"

O4 - HKCU\..\RunServices: [WDrvr32SSL] qpws32.exe

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...showtutorial=62

Once in Safe Mode,Click Start>>Run>>Copy&Paste the Below Bold Print into the Open Box and Click OK!

sc stop delprot

and then

sc delete delprot

Open Pocket Killbox,In the Open Box labeled "Full Path of File to Delete"

Copy&Paste this into it:

C:\Windows\System32\Drivers\Delprot.sys

Now put a tick by:
"Standard File Kill"
"End Explorer Shell while Killing File"

Now Click the Red Circle with the White X in the middle to delete!
You should get a message saying "File Deleted Successfully"
If Not,Write that File Name down and Keep a Running List!

Now for the Next files,place a tick by
"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"

Copy&Paste these:

C:\WINDOWS\isrvs\sysupd.dll
C:\WINDOWS\isrvs\mfiltis.dll
C:\WINDOWS\System32\sfg_5b67.dll
C:\Program Files\INSTAFINK\instafink.dll


Click the Red Circle to Delete!!

Now for the Next files,place a tick by
"Standard File Kill"
"End Explorer Shell while Killing File"
"Deltree(Include SubDirectories)"<<< If Available

Copy&Paste these:

C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\ffisearch.exe
C:\WINDOWS\isrvs
C:\WINDOWS\System32\maxspeed.exe
C:\WINDOWS\System32\zzb.exe
C:\WINDOWS\System32\zzb2.exe
C:\WINDOWS\System32\qpws32.exe
C:\WINDOWS\av.exe
C:\documents and settings\sharon\local settings\temp\0ae4Xa7p0.exe
C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
C:\Program Files\NavExcel\NavHelper\v2.0.4d
C:\Program Files\NavExcel\NavHelper
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager
C:\Program Files\Viewpoint


Now Look in KillBox and Click Tools>>Click Delete Temp files and Follow the Prompts!!

If you had any files that Killbox said it couldnt delete,please let me know in the Next post,make sure to clarify whether it could be deleted and why or if the file doesnt seem to exist!

Also,seems I saw the Program CleanUp! in the First log,if you have that Handy,Run it now!

After all this is complete,Open and Run Microsoft AntiSpyware,delete all it finds!!

Now,Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK.

Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the prompts and restart in Normal Mode!

Once in Normal Mode,Scan the PC with HijackThis and Post those results!

If you have been using Firefox because Internet Explorer was getting the Mass of Pop-Ups,please try and Open Internet Explorer now and if the pop ups have subsided,please use the Link in my original post and do the Online Scan,you will have to using IE and Download the ActiveX Content for the Scan to work!

Edited by Cretemonster, 23 April 2005 - 01:37 PM.


#7 jfariss1

jfariss1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Georgia

Posted 30 April 2005 - 02:19 PM

Hey Cretemonster,
Again i apologize for the delay. I did what you said and came up with the results. Again i appreciate all the help you have given me. Thanks. Here is what i came up with.

-Jason


When i ran Killbox-

FILE DOES NOT SEEM TO EXIST

C:\WINDOWS\isrvs\sysupd.dll
C:\WINDOWS\System32\sfg_5b67.dll
C:\WINDOWS\isrvs\ffisearch.exe
C:\WINDOWS\System32\maxspeed.exe
C:\WINDOWS\System32\zzb.exe
C:\WINDOWS\System32\zzb2.exe
C:\WINDOWS\System32\qpws32.exe
C:\WINDOWS\av.exe
C:\documents and settings\sharon\local settings\temp\0ae4Xa7p0.exe
C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
C:\Program Files\NavExcel\NavHelper\v2.0.4d
C:\Program Files\NavExcel\NavHelper
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager
C:\Program Files\Viewpoint

COULD NOT DELETE

C:\WINDOWS\isrvs

That was it for Killbox and here is HiJackThis Log, thanks again!


Logfile of HijackThis v1.99.1
Scan saved at 3:18:46 PM, on 4/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKLM\..\Run: [rb32 0l7014] "C:\Program Files\RapidBlaster\rb32.exe"
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Sharon\Application Data\DownloadPlus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDD653DB-0F3C-4285-B3E5-632401A83F06}: NameServer = 204.127.202.19,216.148.227.79
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 30 April 2005 - 04:37 PM

OK,lets do this round and then I need you to get Windows Updated!!!

Update AVG but dont run it until we go to Safe Mode!!

Go to Add\Remove Programs and Remove these if they exist:

RapidBlaster
Bargain Buddy
CashBack Buddy
Bullseye Network
rb32 lptt01


Download and Run RapidBlaster Killer 1.61 from here:
http://www.wilderssecurity.net/specialinfo...er.html#removal

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe

O4 - HKLM\..\Run: [rb32 0l7014] "C:\Program Files\RapidBlaster\rb32.exe"

O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe

O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Sharon\Application Data\DownloadPlus.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...showtutorial=62

Once in Safe Mode,locate and Delete these:

C:\WINDOWS\System32\a.exe<<< File Only!

C:\WINDOWS\Start Menu\Programs\Startup\DownloadPlus.exe<<< File Only!

C:\Documents and Settings\Sharon\Application Data\DownloadPlus.exe<<< File Only!

C:\WINDOWS\isrvs<<< Entire Folder

C:\Program Files\RapidBlaster<<< Entire Folder

C:\Program Files\Bargain Buddy<<< Entire Folder

Note:With all the Above Folders,you may have to Open the Folder and Delete everything that is inside before the folder itself will delete!

You can use KillBox for anything not found,remember to use the Deltree Option with Folders!

Close out all other Programs and Open and Scan with AVG and Delete all it Finds!!

Restart Normal,now go Open Internet Explorer and Have the PC scanned here:
http://www.pandasoftware.com/products/acti...n_principal.htm

Internet Explorer should be Safe to Open now and will be helpful Updating Windows!!

So do the Online Scan and Save the Report it produces!

Once the scan is Complete,Open Internet Explorer and Click Tools>>Windows Update!

Once all that is completed,Scan the PC with HijackThis again and Post those results along with the Results from Panda!

#9 jfariss1

jfariss1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Georgia
  • Local time:01:31 AM

Posted 01 May 2005 - 11:46 AM

Hey Cretemonster.
I did an online scan using the kapersky scan and here is what i found. A lot of trojans and stuff....

File Name Virus Name Send Delete

C:\Install.exe Trojan-...S.Linker.g send delete

C:\trufkz.html Trojan-...S.Linker.g send delete

C:\kans.reg Trojan....LowZones.f send delete

C:\kansup.reg Trojan....LowZones.f send delete

C:\a.exe Trojan-...S.Linker.g send delete

C:\SEPinst.exe Trojan....2.Septic.a send delete

C:\Documents ...tine\06240000.VBN Trojan.Win32.Portal send delete

C:\Documents ...tine\06240001.VBN Trojan-...in32.Ipons send delete

C:\Documents ...tine\04800000.VBN Trojan-...32.Skoob.d send delete

C:\Documents ...tine\06240002.VBN Trojan-...32.Skoob.d send delete

C:\Documents ...tine\08380000.VBN Trojan-...2.Small.cw send delete

C:\Documents ...tine\077C0000.VBN Trojan-...2.Small.cw send delete

C:\Documents ...tine\077C0001.VBN Trojan-...2.Small.cw send delete

C:\Documents ...tine\083C0000.VBN Worm.Win32.Alphx.a send delete

C:\Documents ...tine\080C0000.VBN Email-W...32.Bagle.h send delete

C:\Documents ...tine\080C0001.VBN Email-W...32.Bagle.h send delete

C:\Documents ...tine\02A40000.VBN Trojan-...32.Agent.l send delete

C:\Documents ...tine\0F940001.VBN Trojan-...32.Agent.l send delete

C:\Documents ...tine\0F940003.VBN Trojan....lkStocks.a send delete

C:\Documents ...tine\0F940005.VBN Worm.Win32.Alphx.a send delete

C:\Documents ...tine\0F940007.VBN Trojan-...2.Small.ev send delete

C:\Documents ...tine\0F940009.VBN Trojan-...2.Small.ev send delete

C:\Documents ...tine\0F94000B.VBN Trojan-...2.Small.ev send delete

C:\Documents ...tine\0F94000D.VBN Trojan-...2.Small.ev send delete

C:\Documents ...tine\0F94000F.VBN Trojan-...2.Small.ev send delete

C:\Documents ...tine\0F940011.VBN Email-W...32.Bagle.h send delete

C:\Documents ...tine\0F940013.VBN Email-W...32.Bagle.g send delete

C:\Documents ...tine\07100000.VBN Trojan-...2.Small.ev send delete

C:\Documents ...tine\06F00000.VBN Email-W...32.Bagle.h send delete

C:\Documents ...tine\07200000.VBN Trojan-...2.Small.ev send delete

C:\Documents ...tine\07040000.VBN Email-W...32.Bagle.g send delete

C:\Documents ...tine\04CC0000.VBN Trojan-...S.Psyme.ak send delete

C:\Documents ...tine\05D40000.VBN Trojan....artPage.ku send delete

C:\Documents ...tine\05CC0000.VBN Trojan....artPage.ku send delete

C:\Documents ...tine\07A40000.VBN Trojan-...n32.Delf.z send delete

C:\Documents ...tine\07980000.VBN Trojan-...Inflator.b send delete

C:\Documents ...tine\07980001.VBN Trojan-...Inflator.b send delete

C:\Documents ...tine\02240000.VBN Backdoo...yboter.gen send delete

C:\Documents ...tine\02200000.VBN Backdoo...yboter.gen send delete

C:\Documents ...tine\02040000.VBN Backdoo...yboter.gen send delete

C:\Documents ...tine\0AE80000.VBN Backdoo...yboter.gen send delete

C:\Documents ...tine\04E80000.VBN Trojan.Win32.VB.kq send delete

C:\Documents ...tine\05040000.VBN Backdoo...2.Rbot.gen send delete

C:\Documents ...tine\05040001.VBN Backdoo...2.Rbot.gen send delete

C:\Documents ...tine\05000000.VBN Backdoo...2.Rbot.gen send delete

C:\Documents ...tine\05C80000.VBN Backdoo...2.Rbot.gen send delete

C:\Documents ...tine\05C40000.VBN Backdoo...2.Rbot.gen send delete

C:\Documents ...tine\02380000.VBN Trojan.....Delprot.a send delete

C:\Documents ...tine\05D80000.VBN Trojan.....Delprot.a send delete

C:\Documents ...Sharon\cpdef2.exe Trojan-...2.Apropo.r send delete

C:\System Vol...RP12\A0001088.exe Trojan.Win32.Golid send delete

C:\System Vol...RP12\A0001092.exe Trojan.....KillApp.f send delete

C:\WINDOWS\system32\jpuzuqif.dll Trojan.Win32.Goldid send delete

C:\WINDOWS\inst\3p_2.exe Trojan-...TSUpdate.f


Ill go ahead and do the rest of the things that you told me to do on the last post. For the time being should i delete all that Kapersky found? Even though a window pops up saying it may effect your operating system?

Thanks

Edited by jfariss1, 02 May 2005 - 09:28 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users