Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

log - IE adds links to 103092804.com


  • This topic is locked This topic is locked
2 replies to this topic

#1 shoey

shoey

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 05 May 2005 - 08:21 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:16:20 AM, on 6/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\System32\cdfview3.exe
C:\WINDOWS\System32\cdosys86.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Extensis\Portfolio 7\Portfolio Express.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\System32\WISPTIS.EXE
E:\Jasc Software Inc\Paint Shop Pro 7\psp.exe
C:\Program Files\Microsoft Office\Office10\FRONTPG.EXE
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optima.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optima.com.au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.optima.com.au/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [88e3695a2ad5] C:\WINDOWS\System32\cdfview3.exe
O4 - HKLM\..\Run: [08034eb9d666] C:\WINDOWS\System32\cdosys86.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Portfolio Express.lnk = C:\Program Files\Extensis\Portfolio 7\Portfolio Express.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.optima.com.au
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093856336006
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT Profile Manager Class) - https://online.westpac.com.au/wtoa/wtOtherA...iomanagerwt.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = capeyorkpartnerships.com
O17 - HKLM\Software\..\Telephony: DomainName = capeyorkpartnerships.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = capeyorkpartnerships.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Portfolio NetPublish (NetPub) - Extensis - C:\Program Files\Extensis\Portfolio NetPublish Server\WebRoot\app\NetPublish Server.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

BC AdBot (Login to Remove)

 


m

#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 06 May 2005 - 01:30 PM

G'Day Mate, Welcome to BleepingComputer. First I need to be sure HJT is running from a drive and not a CD or floppy, see this: E:\hijackthis\HijackThis.exe If this is a CD or floppy we can loose our backups and logs if we need them, please move it to your C:\HJT\HJT.exe, this is very important. If you still need some help that lets do this.

1) C:\WINDOWS\notepad.exe, my scanner has suggested this may be something other that what it appears to be: http://securityresponse.symantec.com/avcen...hllw.qaz.a.html Please take a look to make sure it is a valid application of notepad. Right click and choose properties then on the general tab the size if valid should be 66,048 bytes. thanks.

2) these are just re-directs to Optima pages, if you do not want them there, you can check them and remove them with HJT.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optima.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optima.com.au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.optima.com.au/

3) C:\WINDOWS\System32\picsvr\picsvr.exe <<< this one is same nasty adware:
http://castlecops.com/startuplist-7519.html

4) These two do not identify as such we call them random named trojans. Unless you know what that are (please let me know) we need to remove them.
C:\WINDOWS\System32\cdfview3.exe
C:\WINDOWS\System32\cdosys86.exe

5) Microsoft AntiSpyware will block our HJT fix, please turn it off until you are finished:
To disable the program, follow the instructions below:
A.) Right click on the Microsoft Antispyware tray icon (a little red and yellow circle looking thing)
B.) Click on Security Agents Status (Enabled)
C.) Click on Disable Real-time Protection.

6) Check in Add Remove Programs for this item: picsvr, uninstall it if there. Open Task Manager then the Processes Tap, locate..highlite and end process on these:
picsvr.exe
cdfview3.exe
cdosys86.exe

7) Download CCleaner from this link: http://www.ccleaner.com/ Take the time to review the instructions on the download page so that when I ask you to run it you will know what you are doing.

8) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(first three are your option, if you want another StartPage, then rid yourself of these)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optima.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optima.com.au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.optima.com.au/
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [88e3695a2ad5] C:\WINDOWS\System32\cdfview3.exe
O4 - HKLM\..\Run: [08034eb9d666] C:\WINDOWS\System32\cdosys86.exe
(same..if you DO NOT want this as your StartPage, remove it)
O14 - IERESET.INF: START_PAGE_URL=http://www.optima.com.au

Close all programs but HJT and all browser windows, then click on "Fix Checked"

SHOW HIDDEN FILES: Follow the instructions in the link to enable hidden files for your operating system.
You may wish to reverse this process if you have any concern about anyone getting into these hidden system files.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\System32\picsvr\ >>> folder

C:\WINDOWS\System32\cdfview3.exe >>> file

C:\WINDOWS\System32\cdosys86.exe >>> file

Let's check for trojans in case any are hiding, run this free online scan, scan the whole system and set it to clean or fix anything it locates. Let me know what it finds and the exact name and location of anything it locates but can't remove. You may be asked to install an ActiveX, please do so as this program is safe and it can not run without it.
http://www.windowsecurity.com/trojanscan/

Run CCleaner then restart the computer and post a new log in this same thread along with any feedback you have. Let us know how you are running.

Thanks...pskelley
HJT Team

PURGE SYSTEM RESTORE
When you are completely finished with the removal procedure and are satisfied that the threat has been removed follow these instruction:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Edited by pskelley, 06 May 2005 - 01:32 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 16 May 2005 - 05:23 PM

No one has replied to this post so it will be closed. If you still have issues please start a new topic. pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users