Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My HiJack This Log


  • This topic is locked This topic is locked
17 replies to this topic

#1 JEservices

JEservices

    helping hand


  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:05:12 AM

Posted 04 May 2004 - 10:37 PM

Recently, I have been having problems, clicking links. :trumpet: I could not d/l a recent version, but using one I had already.

After going through the tutorial, I have come up with a few suggestions, but wanted a second opinion prior to making any changes. :flowers:

Logfile of HijackThis v1.97.7
Scan saved at 9:49:18 PM, on 5/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\RamBooster\Rambooster.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jason\Desktop\HiJack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.22 lavasoft.de
O1 - Hosts: 127.0.0.23 lavasoftusa.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.76 www.lavasoft.de
O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Webshots.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/00001/chm.chm::/files/initial.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.7sultans.com/7sultans/FlashAX.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab


I think that I should have HiJack This remove these entries (I have not made any changes):

Processes:
These are the only ones that I have not done much research on, but I believe that they have something to do with my Sound Blaster
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe

Entries:

Remove all 01 Hosts
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/00001/chm.chm::/files/initial.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.7sultans.com/7sultans/FlashAX.cab

I was going to remove these entries, in safe mode, reboot, and post another log. Have I missed anything? Are any of the deleted files, wrong?

Thank you for your input. :thumbsup:
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:12 AM

Posted 04 May 2004 - 11:20 PM

I agree with everything except:

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

No need to remove that as its valid and default by IE

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 AM

Posted 04 May 2004 - 11:28 PM

Edit: Sorry, Grinler, didn't see your post. Here's my take on it.

Hi JE,
First, this one SHOULD NOT be removed:
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

Second, that list of Hosts files is what's causing the problems with links. I need to research it further, but I think it's either from CWS.Smartkiller or one of the more recent viruses/worms. Have you run CWShredder since this started happening? If not, try that. You won't be able to download it or update it with those hosts files present. If you have a copy check to make sure it's version 1.57.0--if so then run CWshredder in safe mode. If you need the latest version, try it from here.

I'll get back to you to see what I can find out about the rest of it. I think you're right about the other entries (except I don't know about the services), but hold off on fixing with HT for now unless someone tells you different.

The thing about people

is they change

when they walk away.--Mipso


#4 JEservices

JEservices

    helping hand

  • Topic Starter

  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:05:12 AM

Posted 04 May 2004 - 11:29 PM

Thank you much for your advice. I printed out your HiJack This tutorial, and was basing my removals on it. BTW good work on it :thumbsup: !!

I wanted to make changes on mine, before I try out on someone else's.

Would you say, that there is no need for O1 entries? If they are Host file redirections, then would you say that it is safe to delete these, in any log?

I will disable system restore, boot into safe mode, have HiJack This remove entries, delete related files, empty recycle bin, reboot computer, and post a new log. Likely it will not happen tonight though.
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#5 JEservices

JEservices

    helping hand

  • Topic Starter

  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:05:12 AM

Posted 04 May 2004 - 11:34 PM

Thanks Papa. I will leave that file alone, and will hold off making any changes. I could not access CWShedder, with the link provided :thumbsup:

I am doing a search on the HD, for it. I may have d/l a long time ago. Will post back the version.

Thanks again
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 AM

Posted 05 May 2004 - 12:57 AM

OK Je, it's the iSearch toolbar. You'll need to do some further cleaning up after using HijackThis because it evidently adds more hosts entries that HT dosen't detect. So try this:

Go ahead and run HijackThis & fix the entries you picked out less the legit one. But don't turn off System Restore beforehand. Close all other windows before fixing with HT then reboot afterward. I hope then you can access these two threads at Wilders:

http://www.wilderssecurity.com/showthread.php?p=162577

http://www.wilderssecurity.com/showpost.ph...233&postcount=2

If not, here's a copy and paste of instructions for further removal.

Posted by dvk01

It has turned out that none of the automatic removal tools, like adaware or spybot or by manually fixing the O1 hosts file entries with Hijackthis actually removes all the bad hosts file entries that this toolbar drops.

the cure is to download & install hosts file reader from http://members.shaw.ca/techcd/VB_Pr...sFileReader.zip

and then click on search for hosts

when any hosts file is found, it will be listed in the bottom window, click on it and press the reset default button.

that will replace any bad entries with the standard windows entries

NOTE: if you use a customized hosts file to block certain sites then this will overwrite all those entries as well and you will need to re enter them .

an alternative method is to manually edit the hosts file yourself and remove the bad dropped entries from the toolbar

The hosts file reader allows you to do that as well

we have discovered a new hosts file editor that is eaier to use
http://members.aol.com/toadbee/hoster.zip

download and unzip it, run it and tick the boxes beside the entries you wish to remove and press remove checked

please though still use the hosts file reader first to check for additional versions of the hosts file taht several similar parasites drop



And from the other post by dvk01:

and when you are deleting the files that Dave said you need to delete the entire C:\WINDOWS\System32\services folder, there are several other files in there that reinstall this baddie



So it is not a good idea, IMO, to empty the recycle bin when deleting a folder from System 32. Take your system for a test run. If any problems, restore the Services folder back into System 32. If you're sure you're clean, then you can empty the bin & turn off System Restore to delete any backups to the malware that might have been made.

As always, feel free to post back with any questions.

BTW, your setup is very similar to mine--emachines & Earthlink.

The thing about people

is they change

when they walk away.--Mipso


#7 JEservices

JEservices

    helping hand

  • Topic Starter

  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:05:12 AM

Posted 05 May 2004 - 08:22 AM

Good morning PapaKid

Thanks once again for the good advice. This morning, is the first chance that I am able to follow any of it. Just to make sure that I understand the order, I do it something like this, right:

Close all open programs
run HiJack This, and have it fixed what I originally listed, except for >>O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
Restart computer
Access internet, and see if problem is fixed
Run HiJack This again, and post new log here.

If the above method does not work, a 'level 2' cleaning may be needed:
Disable system restore
restart computer in Safe Mode
run HiJack This and fix entries
delete recycle bin, defrag HD(my maintenance anyway)
restart computer
enable system restore
surf internet
Run HiJack This, and post new log here
enable system restore, and make a new checkpoint, if everything is good


In the past with E-Machines, the quality was not what it should be. Today (and really from about 18 months ago), it seems like their reputation has improved a lot. I got this one about a year ago, and the specs are below:

AMD Athlon 2400+Ghz
DVD-ROM
CD-RW
60 GIG HD
initially had 256 DDR RAM-increased to (2) 256 DDR RAM
GeForce MX440 64 MG AGP vid card w/ dual mon
15 " flat screen Syncmaster 151v, and 15" CRT viewsonic
Sound Blaster Audigy LS 5.1
Altec Lansing 5.1 surround speakers
D-Link DI-604 router
Lexmark X75 all-in-one
Lexmark Z605
Webcams-Concord, and Eye Toy (PS2)

I have to say, once you go dual monitors, you never go back. In the near future, I will be running Linux on one, and WIN on the other at the same time. Using just one keyboard, mouse, and computer. This will happen shortly after I increase my RAM to 1 GIG or more. Currently, I use it to watch a DVD movie full screen on one monitor, while I am surfing on another. With the 2 printers, I can have one app print to one, and another app print to the other. It does not happen very often, but it is good to have. I have a router with only this computer hooked up to it because I will be going online with either X-Box or PS2 sometime next month. Also, I have an old Laptop that I will be adding to the system. It is so old, that it does not have a CD-ROM. Just in case you was wondering way I included the PS2 Eye Toy, with the computer specs, is because you can d/l a driver for it, and use it.

Anyway, enough running my mouth, or is it running my fingers? It is looking like it will be at least an hour or two, before I can make any changes. I will keep an eye on this thread, in case something changes.
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 AM

Posted 05 May 2004 - 10:38 AM

'Morning to you too J.
I think you should follow these steps:

1. Do as you propose only this far, i.e.:

Close all open programs
run HiJack This, and have it fixed what I originally listed, except for >>O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
Restart computer



2. Rescan with HijackThis & check to see if any 01 Hosts entries appear. I'm assuming from your previous question that you haven't customized any hosts files or downloaded one. So they need to be fixed if they appear in HT. You can go ahead & post another log after performing step 1. but I would say continue on unless you have a question.

3. Come back to this thread and click on the links to Wilders that I posted just to see if you can access that site. If you can't access Wiiders, then you've probably got a hidden hosts entry which is blocking acces to it. In either event, suggest you you continue on with these steps because there are supposed to be another 40 or so hidden hosts.

4. This step was going to be to download FileReader from the link posted above. But the direct download doesn't work for me, and it appears to be a progrmmers tool that may be a little complex & not easy to understand. And I have no experience in this area. But if you want you can download it from HERE and see if you can find the hidden hosts file. Someone else may be able to help you with that.

5. Click the second link in the quotebox I posted to directly download Hoster. Any hosts file entries that match the list you deleted with HT should be deleted. Any site that you want to have access to that is included in Hoster you should delete. I would say delete all, but I don't mess with host files & would recommend using some caution. You could play around with it some in steps--someone with more experience in this area can guide you, but you can safely delete all sites that you might want to visit.

6. Boot into safe mode & navigate to C:\WINDOWS\System32\services. Delete the entire "services" folder then boot back up into normal mode.

7. Take a test drive--not just on the net, but also run some of your other programs. If you encounter no problems, then you can empty the Recycle Bin (but there's no hurry) and then turn System Restore off then back on again. You won't have to create a restore point because one is created when you turn SysRes on again.

8. Now post another HT log to check.

I'd like to comment some more, but I've got to get to work. As always you can post back here with any questions or if things don't go well. Someone will be around. :thumbsup:

The thing about people

is they change

when they walk away.--Mipso


#9 JEservices

JEservices

    helping hand

  • Topic Starter

  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:05:12 AM

Posted 05 May 2004 - 02:51 PM

It looks like everything is in order. I had HiJack This fix the entries, and rebooted. Here is the new scan.

Logfile of HijackThis v1.97.7
Scan saved at 2:48:57 PM, on 5/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\RamBooster\Rambooster.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Jason\Desktop\HiJack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Webshots.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab


Thanks to everyone for your help. I guess this one was easy :thumbsup:
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#10 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 05 May 2004 - 03:10 PM

Looks good to me

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 05 May 2004 - 10:40 PM

Yep, J, that's a clean log. It doesn't necessarily mean that the problem is solved however. My apologies if I wasn't clear. I still want you to perform a simple test. Click on the following links and tell me if you can access any of the webpages.

http://auditmypc.com/
http://www.safer-networking.org/index.php?page=home
http://www.cexx.org/
http://www.zerosrealm.com/downloads.php

Let me know if you have any problems accessing any or all of these pages. If just one & not others, let me know that & which one. If no probs let me know that too. I'm especially interested in the last one.

Then we'll have a good idea if you have a hosts file that HijackThis can't detect.

The thing about people

is they change

when they walk away.--Mipso


#12 JEservices

JEservices

    helping hand

  • Topic Starter

  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:05:12 AM

Posted 06 May 2004 - 08:38 AM

I clicked on each of the links, and I was able to access them, including the one that was a direct link to d/l a file, which I canceled.


6. Boot into safe mode & navigate to C:\WINDOWS\System32\services. Delete the entire "services" folder then boot back up into normal mode.



When I went into Safe Mode, there are a few files that are named services, but not a folder. I even looked at the date modified on this files, and noticed that they have not been changed since 8/29/02. The exact names of the files, even though you said folder, are services.exe and services.msc. No changes were made, from this step.


I have been going to different sites, and I have not had any problems with any links, since the changes from HiJack This were made.

Is it possible that CWShredder is needed? I have been told that running this on a clean system, can mess it up.

Thanks again for the help.
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#13 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 06 May 2004 - 09:22 AM

CWShredder should cause no problems running on your machine

#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 AM

Posted 06 May 2004 - 09:40 AM

Hi j,
Are you saying that one of these four links attempted a direct download?


http://www.safer-networking.org/index.php?page=home
http://www.cexx.org/://http://www.safer-ne...//www.cexx.org/
http://www.zerosrealm.com/downloads.php://...m/downloads.php


The only direct download in this thread is for Hoster, this one:

http://members.aol.com/toadbee/hoster.zip://http://www.zerosrealm.com/downloads...dbee/hoster.zip


When you click on the links in the first list you should see the following pages--if that's not what's coming up then you're being redirected. So please confirm the following:

1. http://auditmypc.com/://http://members.aol.com/toadbee/host.../auditmypc.com/ --Takes you to the AuditMyPC homepage. No direct download.
2. http://www.safer-networking.org/index.php?page=home --Takes you to the Spybot S&D homepage.
3. http://www.cexx.org/ --Takes you to Counterexploitation (cexx.org) home page.
4. [url="http://www.zerosrealm.com/downloads.php"]http://www.zerosrealm.com/downloads.php --Takes you to Zerosrealm Downloads page. No direct downloads.

The absence of a C:\WINDOWS\System32\services folder may be a good sign. You may be good to go. Just need to know if you're seeing the same things I am when you click those links.

BTW, when instructed to delete a certain folder or file--be sure to follow the filepath exactly. If it's not there it's not there, you're right not to mess with anything that sounds similar.

The thing about people

is they change

when they walk away.--Mipso


#15 JEservices

JEservices

    helping hand

  • Topic Starter

  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas

Posted 06 May 2004 - 09:54 AM

The first link, is good. The second link is a d/l. This is what it says on the screen, verbatum.

Another window opens that is titled File Download. File name: index.php File type:broderbund Easy Prints Type From: www.safer-networking.org Normal options for d/l a file, including the checkbox w/ a check, 'always ask before opening this type of file.

This is a second attempt to access your links. I keep the message on screen, and will amend on the attempt for the last 2.


The other 2 links are OK.

Edited by JEservices, 06 May 2004 - 09:55 AM.

We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users