Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP! Please...


  • Please log in to reply
3 replies to this topic

#1 phishphan419

phishphan419

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 10 August 2005 - 12:23 AM

I am having a horrible time with my computer. If anyone can help me I would really appreciate it. Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:15:05 AM, on 8/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Sarah\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wmylnnfrexhf.com/ViboFKVvIlVGeH...J6Pp8ka8LF.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\ezStub.exe
O4 - Global Startup: kigykl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\drloader.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ System Applications (COMS) - Unknown owner - C:\WINDOWS\System32\lsas.exe" -service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thank you, in advance, for any suggestion/help you can offer. :thumbsup:

Sarah

BC AdBot (Login to Remove)

 


m

#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:56 PM

Posted 13 August 2005 - 01:55 AM

Hi Sarah, Sorry for the delay.

It appears you have run HijackThis in safe mode. We need to see a log in normal mode in order to see what all is running on your system. You also have disabled some startups in msconfig.

Please click on START, then Run, and type msconfig and then press enter. When the window opens click on the Startup Tab and make sure there are checkmarks in every entry. Then press OK until you are out of the program. If it asks to reboot, do not reboot.

I also need for you to create a new folder on your desktop and drag HijackThis.exe into it so we don't lose the backups it makes.

You have some malware affecting your internet connectivity. Let's deal with that first and we will work on the rest when you have reposted with more information as I have requested.

Now please Download LSPFix from:

LSP-Fix

Disconnect from the Internet and close all Internet Explorer Windows. Run the program and check the "I know what I'm doing" box. Place all listings of cdlsp.dll into the remove section by highlighting cdlsp.dll and clicking on the button that points to the right. When all instances of this dll are in the Remove section press the Finish button.

Then Reboot.

To see a tutorial on how to use this program click the link below:

Using LSP-Fix to remove LSP Spyware & Hijackers

When you are done post a new log, please.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 phishphan419

phishphan419
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 13 August 2005 - 11:19 PM

Thanks for all your help. Here's my new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:06:20 PM, on 8/13/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Sarah\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=??? ??? ??? ? ? ?????
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [SUService] C:\WINDOWS\system32\SUService.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [SFN] C:\Program Files\SFN\SFN.exe -AutoStart
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\pbaypk.exe
O4 - HKLM\..\Run: [Meta Upload Eq Stupid] C:\Documents and Settings\All Users\Application Data\that cast meta upload\burndead.exe
O4 - HKLM\..\Run: [lxbaihmqq] C:\WINDOWS\System32\auzaos.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [eutoamebs] C:\WINDOWS\System32\auzaos.exe
O4 - HKLM\..\Run: [dmhlnvzxgkyl] C:\WINDOWS\System32\auzaos.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [COM+ System Applications] lsas.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [StopArmy] C:\DOCUME~1\Sarah\APPLIC~1\LOVERE~1\traymemo.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msimrt16] C:\WINDOWS\System32\msimrt16.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [DivXOP] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [atiupdate] C:\WINDOWS\system32\msupdateQ49500x86.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:56 PM

Posted 14 August 2005 - 11:30 AM

Mmm, mmm, quite a mess you have there, Sarah. Quite honestly I don't know if it's worth trying to clean up an unpatched machine with no antivirus and no firewall but we'll give it a shot.

Let's start you out with the basic auto-removers and attempt to fix some others that will probably come back.

:thumbsup: Begin downloading

1. Please download AVG Free from here:

AVG Virus Scan

Save the setup file to your desktop. Don't install or run it yet.

2. Download Spybot and Adaware from the following locations and install them.:

Spybot
Ad-aware

Update, and configure these programs according to the following tutorials. Familiarize yourself with how these programs run or print out the tutorials because I want you to run them in safe mode. If you have any problems with installation, try again while in safe mode.

Spybot - S&D Tutorial
Ad-Aware Tutorial


:flowers: More info on files

1. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

2. Download this program:

submit files packer

Highlight the files listed below in bold and right-click and select copy.

C:\WINDOWS\ttupt.exe
C:\WINDOWS\system32\SUService.exe
C:\WINDOWS\System32\auzaos.exe
C:\WINDOWS\System32\msimrt16.exe


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

It will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example Papakid.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

3. Also please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files Ive just listed above, then click Submit. You will only be able to have one file scanned at a time. Please post back the results of the scan in your next post.

:trumpet: Boot into Safe Mode to run programs

1. Reboot your computer into Safe Mode. Before doing so you may want to print out these istructions or save them to Notepad or your text editor of choice so you can refer to them in safe mode.

2. Install AVG and run a full system scan.

3. Reboot back into safe mode.

4. If you haven't already installed Spybot Search & Destroy and Ad-Aware, do so now. Run these programs and allow them to remove all that they find. You may need to reboot after a scan, if so return to safe mode for the next step.

5. Scan again with HijackThis 1.99.1. Put a checkmark by the following entries, double-checking to be sure that only these entries are checked. If some of them are no longer present, don't worry as they may already have been removed by the programs you just ran:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=??? ??? ??? ? ? ?????
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [SUService] C:\WINDOWS\system32\SUService.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\pbaypk.exe
O4 - HKLM\..\Run: [Meta Upload Eq Stupid] C:\Documents and Settings\All Users\Application Data\that cast meta upload\burndead.exe
O4 - HKLM\..\Run: [lxbaihmqq] C:\WINDOWS\System32\auzaos.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [eutoamebs] C:\WINDOWS\System32\auzaos.exe
O4 - HKLM\..\Run: [dmhlnvzxgkyl] C:\WINDOWS\System32\auzaos.exe
O4 - HKLM\..\Run: [COM+ System Applications] lsas.exe
O4 - HKCU\..\Run: [StopArmy] C:\DOCUME~1\Sarah\APPLIC~1\LOVERE~1\traymemo.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [msimrt16] C:\WINDOWS\System32\msimrt16.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [DivXOP] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [atiupdate] C:\WINDOWS\system32\msupdateQ49500x86.exe


Close all other windows--you should only see HijackThis on your Desktop--and then click the "Fix checked" button.

6. Using My Computer/Windows Explorer navigate to and delete the following files and folders in bold--do not be concerned if they do not exist.

Folders:

C:\Program Files\VBouncer
C:\Program Files\SED
C:\Program Files\RVP
C:\Documents and Settings\All Users\Application Data\that cast meta upload
C:\Docuemnts and Settings\Sarah\Application Data\LOVERE~1<--the name of this folder begins with LOVERE and should be random words strung together.
C:\Program Files\MyDailyHoroscope
C:\Program Files\Web Offer
C:\Program Files\ezula

Files:

C:\WINDOWS\wupdt.exe
C:\WINDOWS\ttupt.exe
C:\WINDOWS\sysupd.exe
C:\WINDOWS\System32\pbaypk.exe
C:\WINDOWS\System32\auzaos.exe
lsas.exe<--search for this file, but it should be in C:\WINDOWS\system32
C:\WINDOWS\System32\msimrt16.exe
C:\WINDOWS\system32\msupdateQ49500x86.exe

:inlove: Follow up

1. Boot back into normal mode.

2. Please run these two free online virus scans:

TrendMicro's HouseCall
Panda ActiveScan

Please save the log from the Panda scan and post it in your next reply.

3 Scan againwith HijackThis and save a log to post in your next reply.

4. Now download WinPFind.zip and unzip the contents to the C:\ folder.

Reboot back into safe mode.

Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log, the results from Jotti, and the log from Panda and I will review the information when it comes in. There will be much more to do and let me know how things are running.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users