Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack log - various problems


  • Please log in to reply
7 replies to this topic

#1 Daniell

Daniell

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 23 May 2005 - 07:45 AM

hi!

i have several problems which seem to come and go. they include:

task manager closing instantly, as well as other programs like Hijackthis, msconfig, norton...
my internet connection disconnecting (i think this is due to something called svchos1at.exe), or being unable to connect at all
homepage changing, links in favourites appearing
general slower performance, freezing often

i think there are more... i have run sbybot search and destroy and tried to stop things like wuamkop.exe from running but they always reappear. at the moment, i seem to have solved the connection problems by running A Squared (which stops svchos1at.exe from disconnecting me). but other problems, such as task manager not opening, are still there.

any help would be much appreciated, every time i seem to have solved my problems something else goes wrong! here is my log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\msmsngr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\a2\a2guard.exe
C:\WINDOWS\System32\winsci.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Jack\Desktop\Games\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\lsasss.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msmsngr] C:\WINDOWS\System32\msmsngr.exe
O4 - HKLM\..\Run: [System Updates] winsci.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamkop.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [System Updates] winsci.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [System Updates] winsci.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [System Updates] winsci.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1B53E9A-87AA-4B6F-AA95-F2E78817CFBE}: NameServer = 194.72.9.34 194.74.65.68
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

thanks again in advance

BC AdBot (Login to Remove)

 


#2 Daniell

Daniell
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 23 May 2005 - 03:29 PM

bump

#3 Daniell

Daniell
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 23 May 2005 - 03:32 PM

Logfile of HijackThis v1.99.1
Scan saved at 13:51:10, on 23/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

oops i forgot this bit

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 May 2005 - 04:11 PM

Hi Daniell and Welcome to the Bleeping Computer Help Forums!

I see that Windows has not been updated in quite a while!

Are you able to access the Windows Update Site?
http://windowsupdate.microsoft.com/

If you can access it,please update the system to no more than SP1!

Please keep in mind that these Infections will continue to return until we get you clean and completely updated!

All the Updates contain multiple Security flaws that Microsoft has had to patch up!

For the time,lets got some cleaners running on the PC!

Please dont run any of these until I ask you to!

Download The Hoster
http://www.funkytoad.com/download/hoster.zip

Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet
ewido security suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main Ewido screen, click on update in the left menu, then click the Start update button.

After the update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems updating see here
http://www.ewido.net/en/download/updates/

Download Ad Aware SE 1.05 if you havent allready!
http://www.bleepingcomputer.com/forums/ind...showtutorial=48

Please Install>Update and Configure for a Full System Scan just as described in the link!

Download CCleaner
http://www.filehippo.com/download_ccleaner.html
This is to help keep those Temporary Files Cleaned Up!

All you will want to use on this is the Opening Page(Windows Tab)Just Click Run Cleaner and let it do its thing!

Download CleanUp! 4.0
http://downloads.stevengould.org/cleanup/CleanUp40.exe

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Run the Programs in this order please!

1.Ewido Security Suite
Once the Scan is completed>Please Save the log it generates!

2.Ad Aware
Scan the PC>Delete all it Finds and Delete the quaratine files!

3.CCleaner
Click the Run Cleaner tab and let it do its thing!

4.CleanUp!
Click the Cleanup button>let it do its thing>Once complete Click Close and "Yes" to log Off!

5.The Hoster
Press "Restore Original Hosts" and press "OK". Exit Program.

Restart the PC Normal and try to access the the Windows Update site!!!

Have the PC Scanned here
http://www.kaspersky.com/beta?product=161744315

Do whatever it takes to get the PC scanned there!

The Scan itself will take several hours to complete depending on the size of the Hard Drive!

Once all is Completed>Post back with the log from Ewido>Any logs the Kaspersky Scan may produce and a fresh HijackThis log!

#5 Daniell

Daniell
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 26 May 2005 - 05:40 AM

hey thanks a lot for your help so far. here is my ewido log:

+ Created on: 20:45:08, 24/05/2005
+ Report-Checksum: 342878F4

+ Date of database: 24/05/2005
+ Version of scan engine: v3.0

+ Duration: 56 min
+ Scanned Files: 130021
+ Speed: 38.05 Files/Second
+ Infected files: 50
+ Removed files: 50
+ Files put in quarantine: 50
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\system32\lsp.dll -> Spyware.Sahat.f -> Cleaned with backup
C:\WINDOWS\system32\ide21201.vxd -> Spyware.MediaPass -> Cleaned with backup
C:\WINDOWS\system32\sahagent.exe -> Spyware.Sahat.f -> Cleaned with backup
C:\WINDOWS\system32\sahhtml.exe -> Spyware.Sahat.f -> Cleaned with backup
C:\WINDOWS\system32\dνdplay.exe -> Spyware.PurityScan.bj -> Cleaned with backup
C:\WINDOWS\svchost.exe -> Trojan.Agent.cl -> Cleaned with backup
C:\WINDOWS\browserxtras\pn\remove.exe -> TrojanDownloader.Keenval.f -> Cleaned with backup
C:\WINDOWS\cmssx.dll -> Trojan.Agent.cl -> Cleaned with backup
C:\WINDOWS\qttasks.exe -> Spyware.Small.d -> Cleaned with backup
C:\WINDOWS\hgfrre.dll -> Trojan.Agent.cl -> Cleaned with backup
C:\WINDOWS\geffge.dll -> Trojan.Agent.cl -> Cleaned with backup
C:\WINDOWS\wqgff.dll -> Trojan.Agent.cl -> Cleaned with backup
C:\WINDOWS\smssrs.dll -> Trojan.Agent.cl -> Cleaned with backup
C:\WINDOWS\uytlkk.dll -> Trojan.Agent.cl -> Cleaned with backup
C:\WINDOWS\sddda.dll -> Trojan.Agent.cl -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll -> TrojanDownloader.WebP2PInstaller -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\lsp_.dll -> Spyware.Sahat.f -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\SAHAgent_.exe -> Spyware.Sahat.f -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\SahHtml_.exe -> Spyware.Sahat.f -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx -> Spyware.MediaTickets.f -> Cleaned with backup
C:\Documents and Settings\Jack\Local Settings\Temp\temp.fr8424 -> Spyware.WinAD.f -> Cleaned with backup
C:\Documents and Settings\Jack\Local Settings\Temp\svchost.exe -> Trojan.Agent.cl -> Cleaned with backup
C:\Documents and Settings\Jack\Local Settings\Temp\res65.tmp -> Spyware.180Solutions -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@as1.falkag[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@valueclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@mediaplex[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\my.class-dc825cc-1a810626.class -> TrojanDownloader.Small.aaq -> Cleaned with backup
C:\Documents and Settings\Jack\msdirectx.sys -> Trojan.Rootkit.h -> Cleaned with backup
C:\Program Files\Common Files\updmgr\updmgr.exe -> TrojanDownloader.Keenal -> Cleaned with backup
C:\Program Files\BearShare\Installer\saveinstwm.exe -> Spyware.SaveNow.z -> Cleaned with backup
C:\Program Files\Windows ServeAd\WinServAd.exe -> Spyware.WinAD.f -> Cleaned with backup
C:\Program Files\altnet\Points Manager\Points Manager.exe -> Spyware.AltnetBDE -> Cleaned with backup
C:\Program Files\perfectnav\bho\PerfectNav150c.dll -> Spyware.eUniverse -> Cleaned with backup
C:\temp\NCasePackage.exe -> Spyware.180solutions -> Cleaned with backup
C:\temp\SearchRelevancy.exe -> Spyware.Relevance.a -> Cleaned with backup
C:\temp\sahagent-cdt1001.exe -> Spyware.Sahat.h -> Cleaned with backup


::Report End

and my new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:38:22, on 26/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\msmsngr.exe
C:\Program Files\BearShare\BearShare.exe
C:\WINDOWS\System32\winsci.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jack\Desktop\Games\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\lsasss.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msmsngr] C:\WINDOWS\System32\msmsngr.exe
O4 - HKLM\..\Run: [System Updates] winsci.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [System Updates] winsci.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [System Updates] winsci.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [System Updates] winsci.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116943388653
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1B53E9A-87AA-4B6F-AA95-F2E78817CFBE}: NameServer = 194.72.9.34 194.74.65.68
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 May 2005 - 08:43 PM

Did the Kaspersky Scan show anything?

Is there a Report of what happened during that Scan?

Please Got to Add\Remove Programs and Remove the following if they exist

Media Access
BearShare
Windows ServeAd\Windupdates
Altnet
ShopAtHomeSelect Agent
PurityScan
KeenValue
SaveNow
180solutions
SearchRelevancy


Please Download CCleaner
http://www.filehippo.com/download_ccleaner.html
This is to help keep those Temporary Files Cleaned Up!

All you will want to use on this is the Opening Page(Windows Tab)Just Click Run Cleaner and let it do its thing!

Please Download CleanUp!

Click "Cleanup" and it will Scan and Remove all available Temp files>Click "Close">Click "Yes" to Logoff!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingcomputer.com/forums/ind...showtutorial=62

Locate and Delete

C:\WINDOWS\System32\winsci.exe<< File!

C:\WINDOWS\System32\msmsngr.exe<< File!

C:\WINDOWS\System32\msconfig32.exe<< File!

C:\WINDOWS\browserxtras<< Folder!

C:\Program Files\PerfectNav<< Folder!

C:\Program Files\Altnet<< Folder!

C:\Program Files\Windows ServeAd<< Folder!

C:\Program Files\BearShare<< Folder!

C:\Program Files\Common Files\updmgr<< Folder!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\lsasss.dll (file missing)

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

O4 - HKLM\..\Run: [msmsngr] C:\WINDOWS\System32\msmsngr.exe

O4 - HKLM\..\Run: [System Updates] winsci.exe

O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe

O4 - HKLM\..\RunServices: [System Updates] winsci.exe

O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe

O4 - HKCU\..\Run: [System Updates] winsci.exe

O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe

O4 - HKCU\..\RunServices: [System Updates] winsci.exe

O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "Services" Tab

Locate this entry
MDM(Machine Debug Manager<< Uncheck the Box beside it

Under the "Startup" Tab

Make sure every box there has a check by it!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!


Post back the Results from the Panda Scan>a fresh HijaclThis log and let me know if you were able to get a report from the Kaspersky Scan you did!

#7 Daniell

Daniell
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 28 May 2005 - 09:31 AM

the kaspersky scan didn't seem to allow me to save a report, but it did find some infected files. Also i ran the panda scan, and it found (and deleted) some viruses and spyware, but when i tried to save the report the computer froze. i tried again but the same thing happened.

The main problem now seems to be internet explorer running slowly and crashing/freezing.

so i only have another hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 15:30:08, on 28/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\a2\a2guard.exe
C:\WINDOWS\system32\slserv.exe
C:\Documents and Settings\Jack\Application Data\My-disgo\MyKey disgo.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Mindjet\MindManager 5\sys\PDF\ENU\W2K\PDFSaver.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Documents and Settings\Jack\Desktop\Games\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4104.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mswspl] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [kryz] C:\WINDOWS\kryz.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\rvxeolbt.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\Jack\Application Data\My-disgo\MyKey disgo.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: MindManager PDF Writer.lnk = C:\Program Files\Mindjet\MindManager 5\sys\PDF\ENU\W2K\PDFSaver.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116943388653
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1B53E9A-87AA-4B6F-AA95-F2E78817CFBE}: NameServer = 194.72.9.34 194.74.65.68
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

note this is with everything ticked in 'startup' of msconfig. thanks again for your help

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 May 2005 - 01:02 PM

OK.....Looks like there was quite a bit supressed by Msconfig!!!

Thats OK too...Atleast I know we are getting there!!!

After this Pass you follow the next steps and Restart the Machine,Go directly to the Microsoft Updates Site and Start getting updates,without them we are just spitting in the wind!

Get Ewido and Ad Aware up to date with the latest definition files!

If you see a Gator Icon in the System Tray by the Clock>>Right Click it and Select Exit!

Go to Add\Remove Programs again and be sure none of these exist

Gator\Gain
Kazaa
GMT
CMEII
BearShare
Viewpoint\Viewpoint Manager
WindowsSA
Windows ServeAd\Windupdates
Altnet
ShopAtHomeSelect Agent
PurityScan
KeenValue
SaveNow
180solutions
SearchRelevancy


Restart in Safe Mode and Make sure Windows is still showing Hidden Files!

Locate and Delete these folders

C:\Program Files\Windows ServeAd

C:\Program Files\WindowsSA

C:\Program Files\Viewpoint

C:\Program Files\Kazaa

C:\Program Files\BearShare

C:\Program Files\Common Files\GMT

C:\Program Files\Common Files\CMEII

C:\Program Files\Common files\updmgr

C:\WINDOWS\System32\P2P Networking

Locate and Delete these Files

C:\WINDOWS\System32\SahAgent.exe

C:\WINDOWS\System32\rvxeolbt.exe

C:\WINDOWS\kryz.exe

C:\Windows\winlogon.exe<<< Make sure winlogon.exe is only deleted from the Windows Folder!

DO NOT DELETE WINLOGON.EXE FROM THE SYTEM32 FOLDER!!!!

Now Navigate to each of these Temp folders and Delete everything that is inside the temp folder but dont delete the Temp folder itself!

C:\temp

C:\Windows\temp

C:\Windows\System32\temp

C:\Documents and Settings\Owner\Local Settings\Temp\

C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\

Empty your "Recycle Bin"

Open Internet Explorer,
Select Tools,
Select Internet Options
Select Delete Cookies and Delete Files(Check the box for Delete all offline content)

Go to Start,
Select All Programs
Select Accessories
Select System Tools
Select and Run Disk Cleanup(Make sure that all boxes are checked for cleaning!!)

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe

O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4104.exe"

O4 - HKLM\..\Run: [salm] c:\temp\salm.exe

O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [mswspl] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [kryz] C:\WINDOWS\kryz.exe

O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\rvxeolbt.exe

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe


Now,Scan the PC with Ewido again and Save that log!

Scan the PC with Ad Aware and Delete all returns!

Restart Normal and Run Hoster once more just as you did before!

Post a fresh HijackThis log and the Ewido results!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users