Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijackthis log


  • Please log in to reply
3 replies to this topic

#1 anabub

anabub

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 16 May 2005 - 03:23 PM

hi there, I have run ad aware and spybot, neither of these seem to fix the problem, they cannot delete/fix all the probs, there is a directory - C:\windows\isrvs - this contains a load of files including ffisearch.exe that i cannot delete, also these are called by a key in the registry that I cannot delete :thumbsup: furthermore, there are some other directories that look dodgy...

also i have tried to remove the stuff relating to spoolsrv32.exe but cannot

please help....... I do have a recovery disk so can wipe my hdd and resort to factory settings etc....

here is the log

Logfile of HijackThis v1.99.1
Scan saved at 23:50:45, on 15/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Acer\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Acer\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Acer\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{169B4C93-917E-4CC0-ABBB-CBA0AFCDA65B}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CS1\Services\Tcpip\..\{169B4C93-917E-4CC0-ABBB-CBA0AFCDA65B}: NameServer = 195.92.195.95 195.92.195.94
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe



thanks

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:44 AM

Posted 17 May 2005 - 01:12 PM

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Reboot into safe mode and

Then please run Ewido, and run a full scan. Post the log from the scan here for me.

#3 anabub

anabub
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 22 May 2005 - 01:20 PM

hi,
ren ewido in safe mode, didn't remove anything, just ignored them

--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 21:41:33, 21/05/2005
+ Report-Checksum: 1D685BB2

+ Date of database: 21/05/2005
+ Version of scan engine: v3.0

+ Duration: 47 min
+ Scanned Files: 142573
+ Speed: 49.96 Files/Second
+ Infected files: 58
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Headteacher\Application Data\rroe.exe -> Spyware.PurityScan.w -> Ignored
C:\Documents and Settings\Headteacher\Cookies\headteacher@23233294[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Headteacher\Cookies\headteacher@com[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Headteacher\Cookies\headteacher@search.msn[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Headteacher\Local Settings\Temp\B218898208\build2.exe -> Spyware.Isearch -> Ignored
C:\Documents and Settings\Headteacher\Local Settings\Temp\Del17.tmp -> TrojanDownloader.Small.asf -> Ignored
C:\Documents and Settings\Headteacher\Local Settings\Temp\Del26.tmp -> Spyware.180Solutions.e -> Ignored
C:\Documents and Settings\Headteacher\Local Settings\Temp\res18.tmp -> Spyware.180Solutions.g -> Ignored
C:\Documents and Settings\Headteacher\Local Settings\Temp\shop1004.exe -> Spyware.Sahat.m -> Ignored
C:\Documents and Settings\Headteacher\Local Settings\Temp\temp.frFD33 -> Spyware.Isearch -> Ignored
C:\Documents and Settings\Headteacher\Local Settings\Temporary Internet Files\Content.IE5\IQU19P4E\128461[1].exe -> Not-A-Virus.PornWare.Downloader.Tibsystems -> Ignored
C:\Documents and Settings\Headteacher\Local Settings\Temporary Internet Files\Content.IE5\IQU19P4E\nem220[1].dll -> TrojanDownloader.Dyfuca -> Ignored
C:\Documents and Settings\Headteacher\Local Settings\Temporary Internet Files\Content.IE5\JAFX59NB\27[1].exe -> TrojanDownloader.Small.my -> Ignored
C:\Documents and Settings\Headteacher\Local Settings\Temporary Internet Files\Content.IE5\SPERS9QF\block[1].exe -> TrojanProxy.Lager.g -> Ignored
C:\Documents and Settings\Headteacher\Local Settings\Temporary Internet Files\Content.IE5\SPERS9QF\latest[1].exe -> TrojanProxy.Lager.f -> Ignored
C:\HijackThis\backups\backup-20050512-213327-194.dll -> TrojanDownloader.Ieser.a -> Ignored
C:\HijackThis\backups\backup-20050515-220152-672.dll -> TrojanDownloader.Ieser.a -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP48\A0010068.exe -> Trojan.Agent.ct -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP48\A0010135.dll -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP48\A0011128.dll -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP48\A0011132.exe -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP48\A0011376.exe -> TrojanDownloader.Mediket.ag -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP59\A0011719.dll -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP60\A0011721.exe -> TrojanDownloader.Dyfuca.dk -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP60\A0011722.dll -> TrojanDownloader.Dyfuca -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP60\A0012711.exe -> Not-A-Virus.PornWare.Downloader.Tibsystems -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP60\A0012713.exe -> TrojanDownloader.Wintool.e -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP61\A0012722.exe -> TrojanDownloader.Small.asf -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP61\A0012740.exe -> Not-A-Virus.PornWare.Downloader.Tibsystems -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP61\A0012741.exe -> TrojanDownloader.Agent.ex -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP61\snapshot\MFEX-2.DAT -> Spyware.Isearch -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP63\A0014812.exe -> Spyware.Isearch -> Ignored
C:\System Volume Information\_restore{0C30F5B4-E983-45C8-94AF-D9E5EFF39D58}\RP63\snapshot\MFEX-1.DAT -> Spyware.Isearch -> Ignored
C:\WINDOWS\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Ignored
C:\WINDOWS\installer_SIAC.exe -> TrojanDownloader.Adload.a -> Ignored
C:\WINDOWS\isrvs\desktop.exe -> Spyware.ISearch.d -> Ignored
C:\WINDOWS\isrvs\edmond.exe -> Trojan.Isearch -> Ignored
C:\WINDOWS\isrvs\isearch.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Spyware.ISearch.e -> Ignored
C:\WINDOWS\isrvs\mfiltis.dll -> Spyware.ISearch.d -> Ignored
C:\WINDOWS\isrvs\msdbhk.dll -> Spyware.Isearch.a -> Ignored
C:\WINDOWS\isrvs\sysupd.dll -> TrojanDownloader.Ieser.a -> Ignored
C:\WINDOWS\loadclean.exe -> TrojanDownloader.Small.vn -> Ignored
C:\WINDOWS\shop1004.exe -> Spyware.Sahat.m -> Ignored
C:\WINDOWS\system32\cmd32.exe -> TrojanDownloader.Small.vn -> Ignored
C:\WINDOWS\system32\drivers\delprot.sys -> Trojan.Delprot.a -> Ignored
C:\WINDOWS\system32\intfsdffdsronsad.exe -> Spyware.ISearch.d -> Ignored
C:\WINDOWS\system32\intronsad.exe -> TrojanProxy.Lager.g -> Ignored
C:\WINDOWS\system32\izxczxcr.exe -> TrojanDownloader.Delf.lf -> Ignored
C:\WINDOWS\system32\izxxzdsafsafczxcr.exe -> TrojanDownloader.Small.aqt -> Ignored
C:\WINDOWS\system32\lpzxcz324534xct.exe -> Trojan.LowZones.y -> Ignored
C:\WINDOWS\system32\lpzxczxct.exe -> TrojanDownloader.Small.my -> Ignored
C:\WINDOWS\system32\mѕdtc.exe -> Spyware.PurityScan.bk -> Ignored
C:\WINDOWS\system32\spoolsrv32.exe -> Spyware.FindSpy.e -> Ignored
C:\WINDOWS\system32\systemctrl.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\us3432xzcb.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\win32.exe -> TrojanProxy.Lager.f -> Ignored
C:\WINDOWS\system32\wldr.dll -> TrojanDownloader.Agent.le -> Ignored
C:\WINDOWS\system32\~update.exe -> TrojanProxy.Lager.f -> Ignored


::Report Ends

thanks

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:44 AM

Posted 22 May 2005 - 05:28 PM

Please run two online virus scans:

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
http://www.kaspersky.com/service?chapter=161739400#betatest

Then let us know if its working better and what the scans found.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users