Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • Please log in to reply
3 replies to this topic

#1 Vilius

Vilius

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 23 August 2005 - 02:54 PM

My friends I don't know what to do, Seachweb2 reactivates everyday.
I tryed Omegakiller, but it helps only for half an hour. Please Please Help me.
Here is my log. Muvee

(moderator edit: moved log to HJT forum for team review. jgweed)

Logfile of HijackThis v1.99.1
Scan saved at 22:36:29, on 2005.08.23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Portrait Displays\MagicTune\dtsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\PROGRA~1\TILDES~2\Pianists.exe
C:\PROGRA~1\TILDES~2\MDICTION.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\WinPortrait\floater.exe
C:\WINDOWS\system32\kxmixer.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TILDES~2\MDICTION.DEX
C:\Documents and Settings\Vilius\My Documents\Install\Internetas\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://web.qjsqmneaclrns.com/eu71O_yVCdQB/...ytSx1vOHhK.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.lt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [Pianists] C:\PROGRA~1\TILDES~2\Pianists.exe /STARTUP
O4 - HKLM\..\Run: [mdiction] C:\PROGRA~1\TILDES~2\MDICTION.EXE
O4 - HKLM\..\Run: [CheckCU] "C:\PROGRA~1\TILDES~2\CheckCU.exe" {39F50706-EAFA-4B38-B834-16692BC84430} Tildes Biuras 2004
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\system32\kxmixer.exe --startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tray Delete] C:\DOCUME~1\Vilius\APPLIC~1\NEWMIX~1\MEDIATHE.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Vers&ti su Tildės elektroniniu žodynu - res://C:\Program Files\Tildes Biuras 2004\TDVLauncher.DLL /201
O9 - Extra button: Tildės ieškiklis - {11FD30F4-F186-4ebe-A384-E22965FDEC7A} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Tildės ieškiklis - {11FD30F4-F186-4ebe-A384-E22965FDEC7A} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{129C3263-B83D-44C4-A164-710126FD1736}: NameServer = 212.59.0.1,212.59.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{129C3263-B83D-44C4-A164-710126FD1736}: NameServer = 212.59.0.1,212.59.0.2
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Program Files\Aluria Security Center\ascserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\MagicTune\dtsrvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Edited by jgweed, 23 August 2005 - 03:06 PM.


BC AdBot (Login to Remove)

 


#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:37 AM

Posted 24 August 2005 - 07:05 AM

Welcome Vilius to Bleeping Computer.

Let's see what we have here.

Download Findlop by Metallica. Unzip it to your desktop.
Double click findlop.bat. It will open a notepad file.
Copy the content of that file and past it here in your reply.

***
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from notepad into your post



Posted Image
Life is what happens while you're making other plans

#3 Vilius

Vilius
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 24 August 2005 - 02:11 PM

Hy I think it's somethink wrong with GplTickAdmin.....
What you think? Thees SearchWeb2 things are crazy...
Thank you, Thank you,


[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'A393C9CD91C87BB1.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\vilius\applic~1\newmix~1\GplTickAdmin.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Vilius'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 08/24/2005 14:00:00
NextRun: 08/24/2005 23:00:00
StartError: 0x80070003
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/05/1996
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'Norton AntiVirus - Scan my computer - Vilius.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\PROGRA~1\NORTON~1\Navw32.exe'
Parameters: '/task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"'
WorkingDirectory: ''
Comment: 'This is a schedule scan task from Norton AntiVirus.'
Creator: 'Vilius'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 08/26/2005 20:00:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .....F.
StartDate: 04/09/2005
EndDate: 00/00/0000
StartTime: 20:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Vilius'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 08/24/2005 11:45:00
NextRun: 08/24/2005 23:45:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 08/24/2005
EndDate: 00/00/0000
StartTime: 03:45
MinutesDuration: 1440
MinutesInterval: 240
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


____________________________________________________________________
Programs List


Ableton Live v4.04
ACDSee 7.0 PowerPack
Adobe Download Manager 2.0 (Remove Only)
Adobe Encore DVD 1.5
Adobe PageMaker 7.0
Adobe Photoshop CS
Adobe Premiere Pro 1.5
Adobe Reader 7.0
Ai Booster
AIDA32 v3.88
Aluria Security Center
ASAPI Update
Aspect 1.1.99.2
ASUS Probe V2.23.01
AsusUpdate
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
ccCommon
CloneCD
CloneDVD2
Complete Registry Cleaner Trial
DiskPie 2.0
DivX
FLAC Installer 1.1.1a (remove only)
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
HP Photo and Imaging 1.2 - Scanjet 4570c Series
Internet Worm Protection
iTunes
Java 2 Runtime Environment, SE v1.4.2_08
K-Lite Codec Pack 2.27 Full
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
MagicTune
Marvell Miniport Driver
Microsoft .NET Framework 1.1
Microsoft Office 2003 Proofing Tools
Microsoft Office Professional Edition 2003
mIRC
Monkey's Audio
MSN Messenger 6.2
Natural Color
Need for Speed - Porsche Unleashed
Need For Speed Underground
Nero 6 Ultra Edition
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
Pivot Software
PowerDVD
QuickTime
RadLight MPC DirectShow Filter (remove only)
Realtek High Definition Audio Driver
Registry Mechanic
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Sigview v1.9.5.1
Symantec
Symantec Script Blocking Installer
SymNet
SPBBC
Spybot - Search & Destroy 1.4
Steinberg Cubase SX v2.01
Steinberg Groove Agent
Steinberg LM-4 VSTi v1.1
Steinberg The Grand
Steinberg Wavelab v4.01b
Tildes Biuras 2004
Ulead Disc-Direct SDK
Ulead DVD MovieFactory 3 SE
Ulead VideoStudio 8.0 SE DVD
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
USB Video/Audio Device Driver
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888240
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinFast Entertainment Center(WDM Driver)
WinFast PVR
WinRAR archiver
WinZip
XviD MPEG-4 Video Codec

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:37 AM

Posted 24 August 2005 - 04:37 PM

Copy and paste the text from the box to an empty file in Notepad.
%systemdrive%
cd C:\WINDOWS\Tasks
attrib -r -s -h A393C9CD91C87BB1.job
del A393C9CD91C87BB1.job

Save the file:
name : remjob.bat
location: desktop
type : all types

Close Notepad.

Doubleclick remjob.bat on your desktop.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://web.qjsqmneaclrns.com/eu71O_yVCdQB/...ytSx1vOHhK.html

O4 - HKCU\..\Run: [Tray Delete] C:\DOCUME~1\Vilius\APPLIC~1\NEWMIX~1\MEDIATHE.exe
if this folder new mix.... belongs to your musicstuff, leave this one

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

You're right about the cause. Remove this folder:

c:\documents and settings\vilius\application data\newmix~1\ <= this is an abbreviation.

***

Reboot the computer and post me a fresh HijackThis log to check.


Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users