Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help for a friend in need...


  • This topic is locked This topic is locked
2 replies to this topic

#1 AMD ME

AMD ME

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 05 July 2005 - 07:33 PM

Hello. I'm new to this site, so pls bare with me. I have a friend who's computer is acting strange at times (freezing and crashing when looking at a webcam). I sent her the hijackthis program, and she sent me the log back. I looked through it, and I can tell she has an infection (surfsidekick, chod.exe, bin bleh to be more specific), but I'm not sure what's good and what isn't. If any of you can help me sort through the log, and tell me what I should have her delete, that'd be super! Thanks in advanced!

Logfile of HijackThis v1.99.1
Scan saved at 8:29:08 PM, on 7/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Digital Asphyxia\Y!TunnelPro 2.0\YTPro.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.evtvvajrsgkc.com/EXY_jIbBqhG5WI...QrbTqRgT2m.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {75B8C113-7099-2ACF-9EC6-C0E08E6946E1} - C:\DOCUME~1\sassy\APPLIC~1\COOLFI~1\Heart play.exe
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [dalewarn64glue] C:\Documents and Settings\All Users\Application Data\HoldNameDaleWarn\bin bleh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [chod] C:\WINDOWS\System32\chod.exe
O4 - HKCU\..\Run: [settings draw] C:\DOCUME~1\sassy\APPLIC~1\16owns\ProcAtom.exe
O4 - HKCU\..\Run: [Y!TunnelPro] C:\Program Files\Digital Asphyxia\Y!TunnelPro 2.0\YTPro.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/MsnChat45.cab

Also, I'm having her download and run the avg virus scanner, to see if that would help. I may have her run adaware and S&D, but she is computer illertate, and hasn't got a clue what to do. Any help would be greatly appreciated. Thanks again!


Jeff

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:17 AM

Posted 06 July 2005 - 07:08 PM

Hello AMD ME and welcome to BleepingComputer.

The log shows that you are seriously behind on windows updates. It is essential that you update your operating system as soon as possible; otherwise any infections we remove could reoccur. Go to Windows Update and install all the offered Critical and Security updates and service packs. Windows 2000 needs to be at SP4. WindowsXP needs to be at least at SP1 and preferably SP2.


You have a LOP infection that often comes together with Messenger Plus. To remove it we will try the simple way first.

1. Go to Control Panel, then Add/Remove programs. Double click on "Messenger Plus!"

2. The "Messenger Plus! - Setup" is now displayed. Click on the Uninstall button. Note: options displayed on the first screen are not related to the sponsor program.

3. The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. Once you enter the code, press Uninstall.

4. If you entered the code properly, the program will ask you to confirm that you want to uninstall. You must answer "Yes" to this question, else, you won't have another chance of uninstalling.

5. To complete the uninstallation, follow the instructions that are displayed (the first one is to close all your Internet Explorer windows, that's very important). When everything is complete, restart your computer.

6. You may reinstall Messenger Plus after you are clean as long as you DO NOT allow it to install the sponsor program.

While still in Add/Remove programs, look for and uninstall if found, Window Search, Window Searching, Lop.com, LOP Search, Browser Enhancer, or Ultimate Browser Enhancer. If you are given a code to insert, do so. Also while still in Add/Remove programs, uninstall if found: SurfSideKick 3

Also, I'm having her download and run the avg virus scanner, to see if that would help. I may have her run adaware and S&D, but she is computer illertate, and hasn't got a clue what to do. Any help would be greatly appreciated.

Yes, I notice you do not have any anti-virus software running. On today's internet, an up to date AV is a must. AVG by Grisoft is a well respected and free AV program. Download it, install it, update it, use it.

Also, I see no third party Firewall running. At least be sure that Windows XP built in firewall is active.

If possible, get her to:
Download Ad-aware SE v1.06 from LavaSoft. Install, update and configure it as explained in this tutorial. Run Ad-aware and allow it to remove everything it finds.

Download Spybot Search & Destroy v1.4. Install, update and configure it as expained in this tutorial. Run Spybot and allow it to remove everything it finds.


Reboot and post a fresh HJT log. It is very unusual to see a log with no O23 entries. On the next post, be sure the entire log is copied.
Derfram
~~~~~~

#3 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:17 AM

Posted 22 July 2005 - 02:47 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users