Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Just need a quick review... I think


  • Please log in to reply
6 replies to this topic

#1 arosduck

arosduck

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 25 May 2005 - 08:53 AM

I have reviewed several of the other postings to determine which files to check for the hijack this, but am not quite sure which ones on my system i should check, since they are different. I have downloaded the CCleaner, and the ewido security suite, also have created two batch files ... fixnail and findfile as I located nail.exe and several versions of elite*.exe

Logfile of HijackThis v1.99.1
Scan saved at 9:51:24 AM, on 5/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Documents and Settings\Andrea Giusti.ANDREWGREEN\Desktop\virus\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteybj32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I would appreciate any assistance. Thanks, Andrew

BC AdBot (Login to Remove)

 


#2 jboz24

jboz24

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 25 May 2005 - 09:25 AM

arosduck,

I'm writing up some instructions right now. I'll post back in a little bit...

jboz24

#3 jboz24

jboz24

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 25 May 2005 - 10:07 AM

We have a little bit of work to do in order to remove some of the items on your computer. Please print these instructions out or save them to your desktop in notepad as you will be without internet access for a couple of these steps. If you have any questions or problems with any of the steps, please let me know. Thanks!

I. Add/Remove Programs

Please click "Start > Settings > Control Panel > Add or Remove Programs"
Find any of these items that exist and click on it to highlight it. To the left, a button should appear labelled "Update/Remove" -- click it to remove the program.

Lycos Sidesearch
MyWay, MySearch, MyToolBar or anything My<>
Elitebar

II. Update the Ewido definitions but do not run a scan yet

If for some reason you uninstalled Ewido, you can download it from http://download.ewido.net/ewido-setup.exe
Please install it and update the definition files but do not run a scan yet.

III. Please download Nailfix

http://www.noidea.us/easyfile/file.php?dow...050515010747824
Unzip it to the desktop but please do NOT run it yet.

IV. Reboot into Safe Mode

Restart the computer and continually hit the F8 key (F5 on some Dell Computers).
Select the "Safe Mode" option when the "Windows Advanced Options" menu appears and press Enter.

Additional information about starting in Safe Mode can be found here: http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

V. Please run Nailfix

Please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

VI. Ewido Scan

Please launch Ewido and run a full scan. Save the logfile from the scan.

VII. Please Launch HijackThis and place a check mark next to the following items that still exist:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteybj32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Please close all open windows except for HijackThis and then click "Fix Checked".

Please reboot the computer normally.

VIII. Please run the following online scans

Panda Software -- http://www.pandasoftware.com/activescan/co...n_principal.htm

Click on "Scan your PC"
A box will pop-up, click "Next"; Then, type in your email address and click "Send"
Select your Country and State/Region. Click "Start"
A message may appear asking you to agree to the installation of ActiveX components on your system, click "Yes".
Please make sure all five options are checked and then click "All my computer"
Another box will pop-up, click "Close". Your scan should then begin.
When it is finished, please click "See Report" then click "Save Report"
Please post the contents of the saved file.

Housecall -- http://housecall.antivirus.com/housecall/start_frame.asp

Select your location and then hit "Go"
A box may appear requesting installation of an ActiveX object, allow it to do so.
After downloading any virus updates, you should place a check next to of your hard drives and in the "Auto Clean" box.
Then select "Scan".
When the scan is complete, a results box will be displayed with the option to delete the files.
Please click the delete button for all files listed in the box.

IX. Please run a new HijackThis scan and post the log along with the Ewido and Panda scan results

Thanks -- jboz24

#4 arosduck

arosduck
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 25 May 2005 - 02:50 PM

I have completed all of the steps.. took a lil while to do all the scans.

Here are the results:

Logfile of HijackThis v1.99.1
Scan saved at 3:41:19 PM, on 5/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\Andrea Giusti.ANDREWGREEN\Desktop\virus\hijack this\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\Andrea Giusti.ANDREWGREEN\Start
Adware:Adware/VirtualBouncer No disinfected Windows Registry
Adware:Adware/DealHelper No disinfected C:\WINDOWS\System32\DealHelper
Adware:Adware/IEPlugin No disinfected Windows Registry
Adware:Adware/Fizzle No disinfected C:\sysfwb
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Andrea Giusti.ANDREWGREEN\Favorites\Casino & Carrers
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Andrea Giusti.ANDREWGREEN\Favorites\1111\1111.url
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\ProxyStub.dll
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\uninstaller.exe
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\WinGenerics.dll
Adware:Adware/Pacimedia No disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32.ini
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar\xml\adult.tbr
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar\xml\categories\drugs.mnu
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar\xml\categories\fav.mnu
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar\xml\default.tbr
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\casino-ico.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\casino.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\dating-ico.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\dating.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\drugs-ico.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\drugs.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\fav-ico.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\fav.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\virus.bmp
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar\xml\search.mnu
Adware:Adware/Transponder No disinfected C:\WINDOWS\fyimyr.exe
Virus:Trj/Downloader.ANX Disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:Adware/Envolo No disinfected C:\WINDOWS\SYSTEM32\auto_update_uninstall.log
Virus:Trj/Downloader.BYZ Disinfected C:\WINDOWS\SYSTEM32\dist001.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM32\eliteewx32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM32\elitefbs32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM32\elitejka32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM32\eliteybj32.exe


What do i do next?

Thanks, Andrew

#5 jboz24

jboz24

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 25 May 2005 - 04:49 PM

Awesome job! Things are looking a lot better. Please follow these instructions and post another HijackThis log.

I. Please delete the following files and folders listed in RED if they still exist

Please find and delete the following folders:

C:\Documents and Settings\Andrea Giusti.ANDREWGREEN\Favorites\1111
C:\Documents and Settings\Andrea Giusti.ANDREWGREEN\Favorites\Casino & Carrers
C:\Program Files\AutoUpdate
C:\Program Files\CxtPls
C:\sysfwb
C:\WINDOWS\bsx32
C:\WINDOWS\EliteToolBar
C:\WINDOWS\System32\DealHelper

Please find and delete ONLY the files listed below. There may be other files with similar names in the folders listed below, please make sure you are deleting the correct file.

C:\Program Files\Windows Media Player\wmplayer.exe.tmp
C:\WINDOWS\bsx32.ini
C:\WINDOWS\fyimyr.exe
C:\WINDOWS\SYSTEM32\auto_update_uninstall.log
C:\WINDOWS\SYSTEM32\eliteewx32.exe
C:\WINDOWS\SYSTEM32\elitefbs32.exe
C:\WINDOWS\SYSTEM32\elitejka32.exe
C:\WINDOWS\SYSTEM32\eliteybj32.exe

II. Please run the following online scan

BitDefender -- http://www.bitdefender.com/scan/licence.php

Click "Start BitDefender Online Scanner..." and then "I Agree"
While the scanner loads, it may request the installation of some ActiveX objects. Allow it to do so.
Click "Click here to scan"

Please reboot the computer and post a new HijackThis log.

#6 arosduck

arosduck
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 26 May 2005 - 09:40 AM

After completing the previous steps, this is the current hjt log

Logfile of HijackThis v1.99.1
Scan saved at 10:38:44 AM, on 5/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andrea Giusti.ANDREWGREEN\Desktop\virus\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks, Andrew

#7 jboz24

jboz24

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 26 May 2005 - 10:43 AM

Andrew,

Great job! You HijackThis log looks clean :thumbsup:.

I noticed that you are currently running Windows XP without any of the services packs being applied. I strongly suggest upgrading to Service Pack 2 in order to update your system with the latest security patches. A lot of spyware can be prevented simply by staying current with Microsoft's released updates.

I. Set a new System Restore Point

Right click on "My Computer" and select "Properties"
Select the "System Restore" tab and check the "Turn off System Restore" box
Click "Yes" and then hit "OK"

Reboot

When Windows finishes loading, re-open the System Restore menu and uncheck the "Turn off System Restore" box to set a new System Restore point.

II. Service Pack Updates

Please visit http://v4.windowsupdate.microsoft.com/en/default.asp to update you computer with the most current security patches.

III. Prevention

In the future, there are some things you can do to prevent spyware infections:

A. Install the following freeware programs:
SpywareGuard -- http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster -- http://www.javacoolsoftware.com/spywareblaster.html

B. Keep your anti-virus and spyware definitions up to date. Be sure to scan at least once a week.

C. If you do not have a firewall, here are a couple freeware firewalls you can install:
Kerio Personal Firewall -- http://castlecops.com/downloads-file-77.html
Zone Alarm -- http://www.zonelabs.com/store/content/home.jsp

D. Stay updated with the most recent Windows patches using http://v4.windowsupdate.microsoft.com/en/default.asp

E. Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox from http://www.mozilla.org

F. If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

G. On a weekly basis, run Disk Cleanup ("Start > Programs > Accessories > System Tools > Disk Cleanup") and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files

H. Finally, there is an article posted by one of our site mod's with some additional insight. You can find that article at http://computercops.biz/postlite7736-.html

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users