Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log -- Please Help Diagnose


  • Please log in to reply
1 reply to this topic

#1 Marina

Marina

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 19 August 2005 - 10:27 AM

Hi,

My son's PC has been "hijacked" by the following vendors: e2give, Smitfraud, PSGuard, Randomly Named Trojan, Aurora, Troj/Dloader-CD, Transponder, etc. I have used 3 different spyware, adware, etc. programs and so far none of them have been able to eliminate this problem. In addition, I receive the following message: Internet Explorer encountered a problem and needs to close. I will greatly appreciate any assistance you may provide as I have been working on this problem for the last three days.

Regards,
Marina

Below is a copy of my hijackthis.log:

Logfile of HijackThis v1.99.1
Scan saved at 11:02:01 AM, on 8/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\S1AgTmFubmVyeQAA\command.exe
C:\WINDOWS\ydljnkk.exe
C:\WINDOWS\nobpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\System32\apisvc.exe
C:\WINDOWS\exhuqlv.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\cworld.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\apisvc.exe
C:\WINDOWS\system32\svphost.exe
C:\WINDOWS\System32\disipx.exe
C:\WINDOWS\System32\disipx.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\rdso\eetu.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\KP Nannery\Local Settings\Temporary Internet Files\Content.IE5\3PQ6D5OS\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sitesearchcentral.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sitesearchcentral.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.sitesearchcentral.com/sp2.php
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
O1 - Hosts: 69.31.81.22 www.google.ae
O1 - Hosts: 69.31.81.22 www.google.am
O1 - Hosts: 69.31.81.22 www.google.as
O1 - Hosts: 69.31.81.22 www.google.at
O1 - Hosts: 69.31.81.22 www.google.az
O1 - Hosts: 69.31.81.22 www.google.be
O1 - Hosts: 69.31.81.22 www.google.bi
O1 - Hosts: 69.31.81.22 www.google.cd
O1 - Hosts: 69.31.81.22 www.google.cg
O1 - Hosts: 69.31.81.22 www.google.ch
O1 - Hosts: 69.31.81.22 www.google.ci
O1 - Hosts: 69.31.81.22 www.google.cl
O1 - Hosts: 69.31.81.22 www.google.co.cr
O1 - Hosts: 69.31.81.22 www.google.co.hu
O1 - Hosts: 69.31.81.22 www.google.co.il
O1 - Hosts: 69.31.81.22 www.google.co.in
O1 - Hosts: 69.31.81.22 www.google.co.je
O1 - Hosts: 69.31.81.22 www.google.co.jp
O1 - Hosts: 69.31.81.22 www.google.co.ke
O1 - Hosts: 69.31.81.22 www.google.co.kr
O1 - Hosts: 69.31.81.22 www.google.co.ls
O1 - Hosts: 69.31.81.22 www.google.co.nz
O1 - Hosts: 69.31.81.22 www.google.co.th
O1 - Hosts: 69.31.81.22 www.google.co.ug
O1 - Hosts: 69.31.81.22 www.google.co.ve
O1 - Hosts: 69.31.81.22 www.google.dj
O1 - Hosts: 69.31.81.22 www.google.dk
O1 - Hosts: 69.31.81.22 www.google.fi
O1 - Hosts: 69.31.81.22 www.google.fm
O1 - Hosts: 69.31.81.22 www.google.gg
O1 - Hosts: 69.31.81.22 www.google.gl
O1 - Hosts: 69.31.81.22 www.google.gm
O1 - Hosts: 69.31.81.22 www.google.hn
O1 - Hosts: 69.31.81.22 www.google.ie
O1 - Hosts: 69.31.81.22 www.google.it
O1 - Hosts: 69.31.81.22 www.google.kz
O1 - Hosts: 69.31.81.22 www.google.li
O1 - Hosts: 69.31.81.22 www.google.lt
O1 - Hosts: 69.31.81.22 www.google.lu
O1 - Hosts: 69.31.81.22 www.google.lv
O1 - Hosts: 69.31.81.22 www.google.mn
O1 - Hosts: 69.31.81.22 www.google.ms
O1 - Hosts: 69.31.81.22 www.google.mu
O1 - Hosts: 69.31.81.22 www.google.mw
O1 - Hosts: 69.31.81.22 www.google.nl
O1 - Hosts: 69.31.81.22 www.google.no
O1 - Hosts: 69.31.81.22 www.google.off.ai
O1 - Hosts: 69.31.81.22 www.google.pl
O1 - Hosts: 69.31.81.22 www.google.pn
O1 - Hosts: 69.31.81.22 www.google.pt
O1 - Hosts: 69.31.81.22 www.google.ro
O1 - Hosts: 69.31.81.22 www.google.ru
O1 - Hosts: 69.31.81.22 www.google.rw
O1 - Hosts: 69.31.81.22 www.google.se
O1 - Hosts: 69.31.81.22 www.google.sh
O1 - Hosts: 69.31.81.22 www.google.sk
O1 - Hosts: 69.31.81.22 www.google.sm
O1 - Hosts: 69.31.81.22 www.google.td
O1 - Hosts: 69.31.81.22 www.google.tm
O1 - Hosts: 69.31.81.22 www.google.tt
O1 - Hosts: 69.31.81.22 www.google.uz
O1 - Hosts: 69.31.81.22 www.google.vg
O1 - Hosts: 69.31.81.22 google.ae
O1 - Hosts: 69.31.81.22 google.am
O1 - Hosts: 69.31.81.22 google.as
O1 - Hosts: 69.31.81.22 google.at
O1 - Hosts: 69.31.81.22 google.az
O1 - Hosts: 69.31.81.22 google.be
O1 - Hosts: 69.31.81.22 google.bi
O1 - Hosts: 69.31.81.22 google.cd
O1 - Hosts: 69.31.81.22 google.cg
O1 - Hosts: 69.31.81.22 google.ch
O1 - Hosts: 69.31.81.22 google.ci
O1 - Hosts: 69.31.81.22 google.cl
O1 - Hosts: 69.31.81.22 google.co.cr
O1 - Hosts: 69.31.81.22 google.co.hu
O1 - Hosts: 69.31.81.22 google.co.il
O1 - Hosts: 69.31.81.22 google.co.in
O1 - Hosts: 69.31.81.22 google.co.je
O1 - Hosts: 69.31.81.22 google.co.jp
O1 - Hosts: 69.31.81.22 google.co.ke
O1 - Hosts: 69.31.81.22 google.co.kr
O1 - Hosts: 69.31.81.22 google.co.ls
O1 - Hosts: 69.31.81.22 google.co.nz
O1 - Hosts: 69.31.81.22 google.co.th
O1 - Hosts: 69.31.81.22 google.co.ug
O1 - Hosts: 69.31.81.22 google.co.ve
O1 - Hosts: 69.31.81.22 google.dj
O1 - Hosts: 69.31.81.22 google.dk
O1 - Hosts: 69.31.81.22 google.fi
O1 - Hosts: 69.31.81.22 google.fm
O1 - Hosts: 69.31.81.22 google.gg
O1 - Hosts: 69.31.81.22 google.gl
O1 - Hosts: 69.31.81.22 google.gm
O1 - Hosts: 69.31.81.22 google.hn
O1 - Hosts: 69.31.81.22 google.ie
O1 - Hosts: 69.31.81.22 google.it
O1 - Hosts: 69.31.81.22 google.kz
O1 - Hosts: 69.31.81.22 google.li
O1 - Hosts: 69.31.81.22 google.lt
O1 - Hosts: 69.31.81.22 google.lu
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [pFoV3mW] stktcomm.exe
O4 - HKLM\..\Run: [apisvc.exe] C:\WINDOWS\System32\apisvc.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [exhuqlv] C:\WINDOWS\exhuqlv.EXE
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\l4plsd.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cworld] C:\WINDOWS\cworld.exe
O4 - HKCU\..\Run: [Yo79RgaEh] ssdpt32.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [svphost.exe] C:\WINDOWS\system32\svphost.exe
O4 - HKCU\..\Run: [disipx] C:\WINDOWS\System32\disipx.exe
O4 - HKCU\..\RunOnce: [disipx] C:\WINDOWS\System32\disipx.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\guard.tmp

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 August 2005 - 08:02 AM

Hi Marina and Welcome to the Bleeping Computer!

That appears to be the Look2me Infection along with others!

Please download the l2mfix from here
http://www.atribune.org/downloads/l2mfix.exe
or
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.


If you recieve any error messages for CMD or Autoexec.bat>> Select Option 5 from the l2mfix and once at the Site,Click on the link that apply to your Operating System!

Double Click the file it downloads and Extract the files to its predetermined System32 folder!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users