Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log


  • This topic is locked This topic is locked
7 replies to this topic

#1 netsolutions

netsolutions

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 27 July 2005 - 07:01 PM

following is a log for a compaq pc running XP Home edition. It had lots and lots of spyware on it which I have cleaned off, however still keep getting a mysterious entry that I can't get rid of.

O4 - HKLM\..\Run: [xdfxne] c:\windows\system32\zgeokz.exe r

The name changes everytime the process is killed. Any help would be appreciated


Logfile of HijackThis v1.99.1
Scan saved at 4:48:50 PM, on 7/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system32\zgeokz.exe
C:\HIJT\HijackThis.exe

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [xdfxne] c:\windows\system32\zgeokz.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:16 PM

Posted 28 July 2005 - 07:41 AM

Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download and install CCleaner
Do not use it yet.

* Download Nail/Aurora Spyware Fix
Do not use it yet.

* Download ewido security suite here: http://www.ewido.net/en/download/
Install and update it. Don't let it scan yet!!

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

* Run Ccleaner and click Run Cleaner (bottom right)

* Still in safe mode; open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

Close Ewido

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [xdfxne] c:\windows\system32\zgeokz.exe r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


* Click on Fix Checked when finished and exit HijackThis.

* Reboot your system back to normal mode.

Post a new HijackThis Log and the Ewido Log by using Add Reply.

If that random file is still there in your processes afterwards, I have other tools to deal with it. But it is really important you perform those previous steps because more is going on on your system. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 netsolutions

netsolutions
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 28 July 2005 - 02:48 PM

Ok, here are the log files

Logfile of HijackThis v1.99.1
Scan saved at 12:33:29 PM, on 7/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Messenger\msmsgs.exe
c:\windows\system32\zjlqour.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HIJT\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [vsnqyq] c:\windows\system32\zjlqour.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


********************************************************************

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:20:36 AM, 7/28/2005
+ Report-Checksum: F5EEEB39

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{05C2ECE7-AB9F-8750-F571-7DD76F135929} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{38A09FC8-FCAF-3D1E-A6D6-FB0A0E2E2D98} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5B7E5C2F-7668-51A3-BA8C-F6B376755AF9} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{76321C6A-B800-93A4-24BB-B1F318D2A8E0} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D7E7CCE3-E897-0FF8-81D6-3F27EA1CA24E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FA16BCE1-5E36-472A-8466-E0CDD5CE00E6} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtCoreSrv.HbtCoreServices -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtCoreSrv.HbtCoreServices\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtCoreSrv.HbtCoreServices\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtCoreSrv.LfgAx -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtCoreSrv.LfgAx\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtCoreSrv.LfgAx\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtHostIE.Bho -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtHostIE.Bho\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtHostIE.Bho\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtHostOL.HbtMailAnim -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtHostOL.HbtMailAnim\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtHostOL.HbtMailAnim\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtHostOL.HbtWebmailSend -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtHostOL.HbtWebmailSend\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtHostOL.HbtWebmailSend\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbTools.HbtCommBand -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbTools.HbtCommBand\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbTools.HbtCommBand\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbTools.HbtTravelCompareBar -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbTools.HbtTravelCompareBar\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbTools.HbtTravelCompareBar\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtSrv.HbtCoreServices -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtSrv.HbtCoreServices\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtSrv.HbtCoreServices\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtToolbar.HbtHtmlMenuUI -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtToolbar.HbtHtmlMenuUI\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtToolbar.HbtHtmlMenuUI\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtToolbar.HbtToolbarCtl -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtToolbar.HbtToolbarCtl\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtToolbar.HbtToolbarCtl\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtTools.HbMain -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtTools.HbMain\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtTools.HbMain\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{3F6DA8BB-3E45-44E2-B494-C55BEAF3B41E} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8578D35E-C6C0-4808-9A80-0F6C29A2C423} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D47BD4DE-B880-4610-8A8B-C173DEC4272F} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{45397063-D7D0-47C2-9508-26487608A298} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{71E9CF40-AF72-4B55-BD3F-1FEA2A0EAEA6} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{71EFE583-62FE-4419-9918-CA3B683F7B36} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{793AF621-5CD0-4B92-B765-6712F6AAF48E} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{85A886B2-29BB-4189-8046-A66733B242E9} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{9967A873-40F3-4C7E-9239-6C8760F19F61} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{B9F51D42-CCA0-4408-BB02-D433D1865A3A} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{C83DAED4-0611-4F7A-978E-7FEAFCB2F91B} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{F8EE014F-B34C-4544-8E45-95A7971D323B} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\HbTools -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\HbTools\Install -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\HbTools\MachineInfo -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\HbTools\Mail -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\HbTools\PI -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\HbTools\PI\3.2 -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\HbTools\Updates -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\Hotbar -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\Hotbar\Install -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\Install -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\Install\CmpMap -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HbToolsOutlookTools -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HbToolsWebTools -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\ShopperReports -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\ShopperReports\Install -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\ShopperReports\ShopperReports -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\ShopperReports\ShopperReports\PostInstaller -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\Common -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\Common\Time -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\Common\Updates -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HbTools -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HbTools\EUI -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HbTools\ImagesHistory -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HbTools\Install -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HbTools\options -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HbTools\PI -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HbTools\PI\3.2 -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HbTools\Sample -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HbTools\Sample\Hist -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HbTools\updates -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HbTools\UserInfo -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HbTools\Weather -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HostOI -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HostOI\Updates -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HostOL -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HostOL\soho -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\HostOL\Updates -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\Time -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\Time\HostIE -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\Time\HostIE\updates -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\Time\HostOI -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\Time\HostOI\Updates -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\Time\HostOL -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\HbTools\Time\HostOL\Updates -> Spyware.HotBar : Cleaned with backup
HKU\.DEFAULT\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\.DEFAULT\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\.DEFAULT\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\Common -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\Common\Time -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\Common\Updates -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\dynamic -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\EUI -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\HtmlPPP -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\ImagesHistory -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\init -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Install -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\links -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\options -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\PI -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\PI\3.2 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist\sg800 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist\sg801 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist\sg802 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist\sg803 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist\sg807 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist\sg808 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist\sg810 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist\sg811 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist\sg812 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist\sg818 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist\sg819 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist\sg827 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist\sg828 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist\sg829 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\Sample\Hist\sg830 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\updates -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HbTools\UserInfo -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HostOI -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HostOI\Updates -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HostOL -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HostOL\soho -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\HostOL\Updates -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\Time -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\Time\HostIE -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\Time\HostIE\Updates -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\Time\HostOI -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\Time\HostOI\Updates -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\Time\HostOL -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\HbTools\Time\HostOL\Updates -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A8A997F-BB9F-48F6-AA2B-2762D50F9289} -> Spyware.SmartShopper : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\ShopperReports -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\ShopperReports\ShopperReports -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-1202660629-1770027372-839522115-1005\Software\ShopperReports\ShopperReports\PostInstaller -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\Common -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\Common\Time -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\Common\Updates -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HbTools -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HbTools\EUI -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HbTools\ImagesHistory -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HbTools\Install -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HbTools\options -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HbTools\PI -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HbTools\PI\3.2 -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HbTools\Sample -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HbTools\Sample\Hist -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HbTools\updates -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HbTools\UserInfo -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HbTools\Weather -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HostOI -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HostOI\Updates -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HostOL -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HostOL\soho -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\HostOL\Updates -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\Time -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\Time\HostIE -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\Time\HostIE\updates -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\Time\HostOI -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\Time\HostOI\Updates -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\Time\HostOL -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\HbTools\Time\HostOL\Updates -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-18\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-18\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-18\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
[1268] c:\windows\system32\jyfvqgv.exe -> Adware.BetterInternet : Cleaned with backup
C:\!Submit\cowmqvx.exe -> Adware.BetterInternet : Cleaned with backup
C:\!Submit\yezjlcx.exe -> Adware.BetterInternet : Cleaned with backup
C:\install_george.exe -> Spyware.PurityScan : Cleaned with backup
C:\Program Files\HbTools\bin\4.6.2.0\HbtGuard.exe -> Spyware.Hotbar : Cleaned with backup
C:\Program Files\HbTools\bin\4.6.2.0\HbtHostOE.dll -> Spyware.HotBar : Cleaned with backup
C:\Program Files\Netscape\Netscape 6\Plugins\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\4F2B69C2-383F-49AC-902D-B5C3E6\F91CC533-59CC-4F39-975F-F4DAD5 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\B61C5C1E-E42F-4865-8593-10C445\72B5FE48-3088-4791-B74E-BBEA6F -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Yahoo!\Messenger\skins\juliesbutterfliesM\d1g1m0s.exe -> TrojanDownloader.Rameh.a : Cleaned with backup
C:\RECYCLER\S-1-5-21-1202660629-1770027372-839522115-500\Dc1.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\S-1-5-21-1202660629-1770027372-839522115-500\Dc3.exe -> Adware.BetterInternet : Cleaned with backup
C:\Wildmedia324.exe -> TrojanDownloader.Agent.ac : Cleaned with backup
C:\WINDOWS\aigxgg.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\downloader.ocx -> TrojanDownloader.VB.mk : Cleaned with backup
C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\m7.exe -> TrojanDownloader.Swizzor.k : Cleaned with backup
C:\WINDOWS\system32\cccwspoolcz.exe -> TrojanDownloader.Troll : Cleaned with backup
C:\WINDOWS\system32\jyfvqgv.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\ukc.exe -> Trojan.Aditer : Cleaned with backup


::Report End

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:16 PM

Posted 28 July 2005 - 03:09 PM

I have a question first... After reboot, did you get an error about nail.exe wasn't found?

Let's try to deal with that random named file first... I think you'll recognise it in your processes by now. :thumbsup:

Download apt: http://www.diamondcs.com.au/index.php?page=apt

Disconnect from the internet!!

Open apt and search in the window for the bad process zjlqour.exe (most probably it will have another name now)
Open your system32-folder and search for zjlqour.exe (or whatever it is named now :flowers: ). Don't delete it yet, just leave the system32-folder open so you can see the bad file.
In apt again, Select zjlqour.exe and Click Kill3

Then immediately delete the bad file in your system32-folder (rightclick > delete). Please make sure you don't doubleclick it instead, because it disappears then and another bad one is created!

When that file is deleted, check and fix next lines in hijackthis:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [vsnqyq] c:\windows\system32\zjlqour.exe r


Reboot and post a new hijackthislog.

Edited by miekiemoes, 28 July 2005 - 03:10 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 netsolutions

netsolutions
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 28 July 2005 - 09:45 PM

Yes I did have the error about nail.exe after the reboot.

I also needed to clean up the shell registry entry by hand as it still contained the nail reference.

It took rebooting in safe mode and several attempts to be able to delete the bad file as it kept renaming itself.

However, everything appears good now.

Here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 7:37:37 PM, on 7/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HIJT\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:16 PM

Posted 29 July 2005 - 02:24 AM

I see a clean log. :thumbsup:

It took rebooting in safe mode and several attempts to be able to delete the bad file as it kept renaming itself.


Yes, sometimes it works in one flow with APT, other times you need to do this more than once.... abusing it a bit. :flowers:

Perform a full scan with an updated Adaware SE and/or Spybot S&D to get rid of the leftovers.
If you don't have those programs yet, you can find the downloadlocations in my sig.

To keep this clean in the future, I would suggest the following things:

Most important thing... Install an antivirus and a firewall!!!

AVG, Bitdefender OR Avast are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decreases the reliability of it seriously!
Zonealarm, Kerio OR Sygate are FREE firewalls.

Understanding and using firewalls:
http://www.bleepingcomputer.com/forums/ind...showtutorial=60

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Kaspersky online and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! :trumpet:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 netsolutions

netsolutions
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 29 July 2005 - 11:03 AM

Thanks for the help, it is a much happier machine.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:16 PM

Posted 29 July 2005 - 11:09 AM

Glad I could help you. :thumbsup:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users