Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What Do I Have?


  • This topic is locked This topic is locked
2 replies to this topic

#1 mommio2

mommio2

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 16 May 2005 - 07:46 PM

Hello,
I am an elementary computer teacher. I had to bring one of our computers home so I could spend more time working on ridding it of spyware. It is totally infected! No matter what spedial fixes I try, more bad stuff seems to come back! Here is my HijackThis log. Could anyone please tell me exactly what is left I need to get rid of? Thanks very much!

Logfile of HijackThis v1.99.1
Scan saved at 8:35:21 PM, on 5/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\desk98.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\??sks\mshta.exe
C:\DOCUME~1\frlock\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cincinnati.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [uaukga] c:\windows\system32\uaukga.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKCU\..\Run: [Xjtyd] C:\WINDOWS\system32\??sks\mshta.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\frlock\Application Data\osoa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:08:06 AM

Posted 17 May 2005 - 03:25 PM

Hello mommio2 and welcome to BleepingComputer.

You have HijackThis running from a temporary or zip folder. Any backup files HJT creates during the repair process will not be secure if left in this folder.

Create a folder on the C: drive called "C:\HJT". You can do this by opening My Computer then double click on Local Disk (C:). In a clear area right click and select New then Folder and name it "HJT". Unzip HijackThis into this folder. Please delete any other copies of HijackThis and run HJT only from this new folder.


Configure Windows to enable viewing of Hidden and System files.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [uaukga] c:\windows\system32\uaukga.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKCU\..\Run: [Xjtyd] C:\WINDOWS\system32\??sks\mshta.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\frlock\Application Data\osoa.exe
With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders (Don't be concerned if they can not be found):c:\windows\system32\uaukga.exe <--Files
C:\WINDOWS\system32\n20050308.EXE
C:\Documents and Settings\frlock\Application Data\osoa.exe

C:\WINDOWS\system32\??sks\ <--Folder
If any of these resist being deleted, boot into Safe Mode and try from there.


Reboot and post a new HJT log. How are things running?
Derfram
~~~~~~

#3 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:08:06 AM

Posted 31 May 2005 - 12:18 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users