Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - Powers


  • Please log in to reply
1 reply to this topic

#1 powersbw

powersbw

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 24 June 2005 - 03:55 PM

Could someone help me remove the junk from my laptop? I've already run Spybot and AdAware, rebooted. This is the resulting logfile...


Logfile of HijackThis v1.99.1
Scan saved at 10:54:34 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\PROGRA~1\NavNT\DefWatch.exe
c:\winnt\system32\domtimec.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\PROGRA~1\NavNT\NavRoam.exe
c:\PROGRA~1\NavNT\Rtvscan.exe
C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
C:\Program Files\Support.com\bin\tgsrvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\PROGRA~1\CYBERG~1\cgahelp.exe
C:\PROGRA~1\CYBERG~1\cgav.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\winnt\system32\wscript.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\WINNT\System32\PSof1.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\System32\kmlrjk.exe
c:\winnt\system32\numevu.exe
C:\WINNT\system\jkcmordrww.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\nbksso8\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://flagscape.bankofamerica.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://flagscape.bankofamerica.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://flagscape.bankofamerica.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxyconfig.bankofamerica.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [CgaHelper] C:\PROGRA~1\CYBERG~1\cgahelp.exe -check
O4 - HKLM\..\Run: [CgaViewer] C:\PROGRA~1\CYBERG~1\cgav.exe -check
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /nf /server
O4 - HKLM\..\Run: [Userstate] c:\winnt\system32\wscript.exe "c:\program files\bank of america\userstate\logonmonitor.vbs"
O4 - HKLM\..\Run: [SwdisUsrPCN.B00114343A4D5] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [Visual Mortgage Loanline Universal Config 20.04.10.13] C:\Program Files\Bank of America\VM 3.0\Bloomington\stub.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [PSof1] C:\WINNT\System32\PSof1.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [exp] C:\WINNT\System32\exp
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\kmlrjk.exe reg_run
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteizj32.exe
O4 - HKLM\..\Run: [dmuzbg] c:\winnt\system32\numevu.exe r
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O4 - Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - c:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://insite.bankofamerica.com
O15 - Trusted Zone: *.bankofamerica.com
O15 - Trusted Zone: *.knowledgenet.com
O15 - Trusted Zone: *.bankofamerica.com (HKLM)
O15 - Trusted Zone: *.knowledgenet.com (HKLM)
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {C45BF871-461C-11D5-81C5-0050DAC7A70C} - http://reportshop.bankofamerica.com/cab/datashop.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mn.bankofamerica.com
O17 - HKLM\Software\..\Telephony: DomainName = mn.bankofamerica.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mn.bankofamerica.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mn.bankofamerica.com
O20 - Winlogon Notify: NavLogon - c:\WINNT\System32\NavLogon.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: CyberGatekeeper Agent (CGAgent) - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - c:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Domain Time Client - Greyware Automation Products, Inc. - c:\winnt\system32\domtimec.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: NAVRoam - symantec - C:\PROGRA~1\NavNT\NavRoam.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - c:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
O23 - Service: Support.com Repair Service - Support.com, Inc. - C:\Program Files\Support.com\bin\tgsrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe

BC AdBot (Login to Remove)

 


#2 H@ns

H@ns

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 25 June 2005 - 08:41 AM

Download this tool: LQfix.zip
Unzip it to your Desktop.
Don't use it yet!

The above Registry file was written specifically for this infection and is not to be used on any other infection as it could damage a person's PC

IMPORTANT! Reboot the computer into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter').

Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, that is normal.

Reboot into normal mode and scan with HijackThis. Post the new log as a reply to this thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users