Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log - Gotsum Please Help Me Kill This


  • Please log in to reply
24 replies to this topic

#1 gotsum

gotsum

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 14 October 2005 - 08:32 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:43:22 AM, on 10/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\winhosts.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\System32\Vxeflm.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\smsc.exe
C:\Program Files\ZDF\rawr.exe
C:\WINDOWS\System32\stupd64.exe
C:\WINDOWS\System32\MSPPSU64.EXE
C:\WINDOWS\System32\ndcky.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\qopqq.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\System32\qlink32.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O4 - HKLM\..\Run: [Microsoft Windows Update] iexplorer.exe
O4 - HKLM\..\Run: [Windows NT Runtime] winhosts.exe
O4 - HKLM\..\Run: [Windows IP Security Service] ndcky.exe
O4 - HKLM\..\Run: [Kfya8Fy] C:\WINDOWS\nexkh.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Hfedfe.exe
O4 - HKLM\..\Run: [Power Scan] "C:\Program Files\Power Scan\powerscan.exe" /aid:156324
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Vxeflm.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Microsoft Windows Update] iexplorer.exe
O4 - HKLM\..\RunServices: [Windows IP Security Service] ndcky.exe
O4 - HKLM\..\RunServices: [Windows NT Runtime] winhosts.exe
O4 - HKCU\..\Run: [Windows IP Security Service] ndcky.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [Windows IP Security Service] ndcky.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20695ADB-AC46-42EB-9A67-808D1CB182F1}: NameServer = 151.197.0.38 151.197.0.39
O17 - HKLM\System\CS1\Services\Tcpip\..\{20695ADB-AC46-42EB-9A67-808D1CB182F1}: NameServer = 151.197.0.38 151.197.0.39
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\System32\qlink32.dll
O20 - Winlogon Notify: qopqq - C:\WINDOWS\SYSTEM32\qopqq.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 19 October 2005 - 08:28 AM

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.


c:\windows\system32\iexplorer.exe
c:\windows\system32\ndcky.exe
c:\windows\system32\winhosts.exe


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.



Click on start, settings, control panel and double-click on add/remove programs. From with add/remove program uninstall the following if they exist:

ISTSvc
Powerscan
Internet Optimizer
Surf Accuracy
IST Bar
Sidefind

Then,

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\qopqq.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\System32\qlink32.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O4 - HKLM\..\Run: [Microsoft Windows Update] iexplorer.exe
O4 - HKLM\..\Run: [Windows NT Runtime] winhosts.exe
O4 - HKLM\..\Run: [Windows IP Security Service] ndcky.exe
O4 - HKLM\..\Run: [Kfya8Fy] C:\WINDOWS\nexkh.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Hfedfe.exe
O4 - HKLM\..\Run: [Power Scan] "C:\Program Files\Power Scan\powerscan.exe" /aid:156324
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Vxeflm.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Microsoft Windows Update] iexplorer.exe
O4 - HKLM\..\RunServices: [Windows IP Security Service] ndcky.exe
O4 - HKLM\..\RunServices: [Windows NT Runtime] winhosts.exe
O4 - HKCU\..\Run: [Windows IP Security Service] ndcky.exe
O4 - HKCU\..\RunServices: [Windows IP Security Service] ndcky.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\System32\qlink32.dll
O20 - Winlogon Notify: qopqq - C:\WINDOWS\SYSTEM32\qopqq.dll
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)


C:\WINDOWS\System32\Searchx.htm
C:\Program Files\SideFind\
C:\Program Files\ISTbar\
C:\WINDOWS\nexkh.exe
C:\Program Files\SurfAccuracy\
C:\Program Files\Internet Optimizer\
C:\Program Files\Power Scan\
C:\WINDOWS\System32\Vxeflm.exe
C:\Program Files\ISTsvc\
c:\windows\system32\iexplorer.exe
c:\windows\system32\winhosts.exe
c:\windows\system32\ndcky.exe
C:\WINDOWS\System32\qlink32.dll
C:\WINDOWS\SYSTEM32\qopqq.dll
C:\WINDOWS\smsc.exe

Reboot your computer to go back to normal mode and post a new log.

#3 gotsum

gotsum
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 20 October 2005 - 03:16 PM

thanks for your help it is greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 10:35:03 PM, on 10/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\msnsrv.exe
C:\WINDOWS\smsc.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\jkhhe.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\System32\opnom.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Windows IP Security Service] ndcky.exe
O4 - HKCU\..\RunServices: [Windows IP Security Service] ndcky.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\SYSTEM32\jkhhe.dll
O20 - Winlogon Notify: opnom - C:\WINDOWS\System32\opnom.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 21 October 2005 - 10:04 AM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Reboot your computer into Safe Mode

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\jkhhe.dll
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\System32\opnom.dll
O4 - HKCU\..\Run: [Windows IP Security Service] ndcky.exe
O4 - HKCU\..\RunServices: [Windows IP Security Service] ndcky.exe
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\SYSTEM32\jkhhe.dll
O20 - Winlogon Notify: opnom - C:\WINDOWS\System32\opnom.dll


Then delete these files or directories (Do not be concerned if they do not exist)

c:\windows\system32\ndcky.exe
C:\WINDOWS\SYSTEM32\jkhhe.dll
C:\WINDOWS\System32\opnom.dll

Reboot your computer to go back to normal mode and post a new log.

#5 gotsum

gotsum
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 21 October 2005 - 04:26 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:49:09 PM, on 10/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\msnsrv.exe
C:\WINDOWS\smsc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\ndcky.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhhe.dll
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\System32\opnom.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [System] winupd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Windows IP Security Service] ndcky.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [System] winupd.exe
O4 - HKLM\..\RunServices: [Windows IP Security Service] ndcky.exe
O4 - HKCU\..\Run: [System] winupd.exe
O4 - HKCU\..\Run: [Windows IP Security Service] ndcky.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [System] winupd.exe
O4 - HKCU\..\RunServices: [Windows IP Security Service] ndcky.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\SYSTEM32\jkhhe.dll
O20 - Winlogon Notify: opnom - C:\WINDOWS\System32\opnom.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 22 October 2005 - 10:54 AM

Print out these instructions and then close all windows including Internet Explorer.

Reboot your computer into Safe Mode

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O4 - HKLM\..\Run: [System] winupd.exe
O4 - HKLM\..\Run: [Windows IP Security Service] ndcky.exe
O4 - HKLM\..\RunServices: [System] winupd.exe
O4 - HKLM\..\RunServices: [Windows IP Security Service] ndcky.exe
O4 - HKCU\..\Run: [System] winupd.exe
O4 - HKCU\..\Run: [Windows IP Security Service] ndcky.exe
O4 - HKCU\..\RunServices: [System] winupd.exe
O4 - HKCU\..\RunServices: [Windows IP Security Service] ndcky.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\SYSTEM32\jkhhe.dll
O20 - Winlogon Notify: opnom - C:\WINDOWS\System32\opnom.dll
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe

Then delete these files or directories (Do not be concerned if they do not exist)

c:\windows\system32\msdirectx.sys
c:\windows\system32\winupd.exe
c:\windows\system32\winupd.exe
c:\windows\system32\ndcky.exe
C:\WINDOWS\SYSTEM32\jkhhe.dll
C:\WINDOWS\System32\opnom.dll
C:\WINDOWS\msnsrv.exe
C:\WINDOWS\smsc.exe

Reboot your computer to go back to normal mode and post a new log.

#7 gotsum

gotsum
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 23 October 2005 - 11:23 AM

Logfile of HijackThis v1.99.1
Scan saved at 1:29:03 AM, on 12/18/2001
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\msnsrv.exe
C:\WINDOWS\smsc.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhhe.dll
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\System32\opnom.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\SYSTEM32\jkhhe.dll
O20 - Winlogon Notify: opnom - C:\WINDOWS\System32\opnom.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 23 October 2005 - 07:56 PM

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.13 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\monpo.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\opnom.dll.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:
    O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhhe.dll
    O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\System32\opnom.dll
    O20 - Winlogon Notify: jkhhe - C:\WINDOWS\SYSTEM32\jkhhe.dll
    O20 - Winlogon Notify: opnom - C:\WINDOWS\System32\opnom.dll
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: [color="red"]ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

#9 gotsum

gotsum
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 24 October 2005 - 10:27 PM

Incident Status Location

Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\jkhhe.dll
Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe
Adware:adware/dealhelper No disinfected Windows Registry
Spyware:Spyware/Virtumonde No disinfected C:\HJT\backups\backup-20011216-050153-405.dll
Spyware:Spyware/Virtumonde No disinfected C:\Program Files\UNC\is.exe
Adware:Adware/Mediamotor No disinfected C:\WINDOWS\exe82.exe
Virus:W32/Sdbot.FJD.worm Disinfected C:\WINDOWS\msnsrv.exe
Virus:Exploit/FTPD Disinfected C:\WINDOWS\smsc.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\awtqp.dll
Virus:W32/Gaobot.FFA.worm Disinfected C:\WINDOWS\system32\bot.exe
Adware:Adware/Exact.Funcade No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KA1WAP0V\bullseye[1].htm
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KA1WAP0V\optimize[1].exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KA1WAP0V\version[1].exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KCUB6TRW\downloaddll[1].htm
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KCUB6TRW\istdownload[2].exe
Adware:Adware/SurfAccuracy No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KCUB6TRW\SAcc.prod.v1112.05oct2005.exe[1]
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RKQV29KL\downloaddll[1].htm
Adware:Adware/PowerScan No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RKQV29KL\power_remove[1].exe
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RKQV29KL\xml_istbar[1].xml
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XMGKER3X\dun[1].exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XMGKER3X\sahagent[1].exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\dun.exe
Virus:W32/Sdbot.FJD.worm Disinfected C:\WINDOWS\system32\eraseme_30158.exe
Virus:Exploit/FTPD Disinfected C:\WINDOWS\system32\eraseme_52381.exe
Virus:Exploit/FTPD Disinfected C:\WINDOWS\system32\eraseme_72360.exe
Virus:Exploit/FTPD Disinfected C:\WINDOWS\system32\eraseme_80671.exe
Virus:Exploit/FTPD Disinfected C:\WINDOWS\system32\eraseme_88250.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\fcyxw.dll
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\Hfedfe.exe
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\iiihf.dll
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\system32\install.exe
Virus:Trj/Multidropper.AXV Disinfected C:\WINDOWS\system32\ipsec.exe
Virus:W32/Sdbot.EWM.worm Disinfected C:\WINDOWS\system32\japan.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\jkhhe.dll
Virus:Trj/Downloader.FKV Disinfected C:\WINDOWS\system32\MSPPSU64.EXE
Virus:W32/Gaobot.FFA.worm Disinfected C:\WINDOWS\system32\ndcky.exe
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\system32\PreUninstallQL.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\qopqq.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\rqoml.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ssqro.dll
Virus:W32/Gaobot.KMA.worm Disinfected C:\WINDOWS\system32\stupd64.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\tusrr.dll
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\winhosts.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\wvwwv.dll


Logfile of HijackThis v1.99.1
Scan saved at 11:21:01 PM, on 10/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\msnsrv.exe
C:\WINDOWS\smsc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhhe.dll
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\System32\opnom.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_216064] C:\WINDOWS\System32\ActiveScan\pavdr.exe 216064
O4 - HKLM\..\RunOnce: [Panda_cleaner_212022] C:\WINDOWS\System32\ActiveScan\pavdr.exe 212022
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20695ADB-AC46-42EB-9A67-808D1CB182F1}: NameServer = 151.197.0.38 151.197.0.39
O17 - HKLM\System\CS1\Services\Tcpip\..\{20695ADB-AC46-42EB-9A67-808D1CB182F1}: NameServer = 151.197.0.38 151.197.0.39
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\SYSTEM32\jkhhe.dll
O20 - Winlogon Notify: opnom - C:\WINDOWS\System32\opnom.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\monpo.*

The second filepath entered was C:\WINDOWS\System32\opnom.dll.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 428 'smss.exe'

Killing PID 1560 'explorer.exe'
Killing PID 1560 'explorer.exe'


Killing PID 512 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\System32\monpo.* Deleted sucessfully.
Could not delete C:\WINDOWS\System32\opnom.dll.*.

Fixing Registry
--------------------------------------------------------------------------------------

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 25 October 2005 - 12:33 PM

Download this tool and save it to your desktop. Then double click the tool and follow the instructions.

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

When its done, reboot and post the log that is created on your desktop called VBG.TXT. You can also now try deleting the following files:

C:\WINDOWS\System32\opnom.dll
C:\WINDOWS\system32\jkhhe.dll

Then start hijackthis and fix the following entries:

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhhe.dll
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\System32\opnom.dll
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\SYSTEM32\jkhhe.dll
O20 - Winlogon Notify: opnom - C:\WINDOWS\System32\opnom.dll

Reboot and post a new log

#11 gotsum

gotsum
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 25 October 2005 - 03:21 PM

[10/25/2005, 15:46:01] - Starting Process...
[10/25/2005, 15:46:01] - Looking for Browser Helper Object [MSEvents Object]
[10/25/2005, 15:46:01] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[10/25/2005, 15:46:01] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[10/25/2005, 15:46:01] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\jkhhe.dll)
[10/25/2005, 15:46:01] - Found a reference to C:\WINDOWS\system32\jkhhe.dll in Winlogon Notify! This is most likely Virtumundo!
[10/25/2005, 15:46:02] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[10/25/2005, 15:46:02] - BHO list has been changed! Starting over...
[10/25/2005, 15:46:02] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[10/25/2005, 15:46:02] - Found MSEvents Object!
[10/25/2005, 15:46:02] - File location: C:\WINDOWS\system32\jkhhe.dll
[10/25/2005, 15:46:02] - Attempting to kill C:\WINDOWS\system32\jkhhe.dll
[10/25/2005, 15:46:02] - Terminating Process: RUNDLL32.EXE
[10/25/2005, 15:46:02] - Terminating Process: IEXPLORE.EXE
[10/25/2005, 15:46:02] - Disabling Automatic Shell Restart
[10/25/2005, 15:46:02] - Terminating Process: EXPLORER.EXE
[10/25/2005, 15:46:03] - Suspending the NT Session Manager System Service
[10/25/2005, 15:46:03] - Terminating Windows NT Logon/Logoff Manager
[10/25/2005, 15:46:03] - Re-enabling Automatic Shell Restart
[10/25/2005, 15:46:03] - Renaming C:\WINDOWS\system32\jkhhe.dll -> C:\WINDOWS\system32\jkhhe.dll.vir
[10/25/2005, 15:46:03] - File successfully renamed!
[10/25/2005, 15:46:03] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[10/25/2005, 15:46:03] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[10/25/2005, 15:46:03] - Removing Winlogon Notify Entry: jkhhe
[10/25/2005, 15:46:03] - BHO list has been changed! Starting over...
[10/25/2005, 15:46:03] - 1: {8DBF02DA-4360-4A7E-BEA1-347B87816327} - MSEvents Object
[10/25/2005, 15:46:03] - Found MSEvents Object!
[10/25/2005, 15:46:03] - File location: C:\WINDOWS\System32\opnom.dll
[10/25/2005, 15:46:03] - Attempting to kill C:\WINDOWS\System32\opnom.dll
[10/25/2005, 15:46:03] - Terminating Process: RUNDLL32.EXE
[10/25/2005, 15:46:03] - Terminating Process: IEXPLORE.EXE
[10/25/2005, 15:46:03] - Disabling Automatic Shell Restart
[10/25/2005, 15:46:03] - Terminating Process: EXPLORER.EXE
[10/25/2005, 15:46:03] - Suspending the NT Session Manager System Service
[10/25/2005, 15:46:04] - Terminating Windows NT Logon/Logoff Manager
[10/25/2005, 15:46:04] - Re-enabling Automatic Shell Restart
[10/25/2005, 15:46:04] - Renaming C:\WINDOWS\System32\opnom.dll -> C:\WINDOWS\System32\opnom.dll.vir
[10/25/2005, 15:46:04] - File successfully renamed!
[10/25/2005, 15:46:04] - Removing Registry references to {8DBF02DA-4360-4A7E-BEA1-347B87816327}
[10/25/2005, 15:46:04] - Adding Internet Explorer Protection (Kill ActiveX) for {8DBF02DA-4360-4A7E-BEA1-347B87816327}
[10/25/2005, 15:46:04] - Removing Winlogon Notify Entry: opnom
[10/25/2005, 15:46:04] - BHO list has been changed! Starting over...
[10/25/2005, 15:46:04] - Finished searching for [MSEvents Object]
[10/25/2005, 15:46:04] - Finishing up...
[10/25/2005, 15:46:04] - Enabling Automatic Reboot on STOP Error.
[10/25/2005, 15:46:04] - Attempting to Restart via STOP error (Blue Screen!)

Logfile of HijackThis v1.99.1
Scan saved at 3:54:21 PM, on 10/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AsnFtpd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ASNFTP daemon (ASNFTPD) - Unknown owner - C:\WINDOWS\AsnFtpd.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe (file missing)
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 25 October 2005 - 04:06 PM

Did you install this yourself?
O23 - Service: ASNFTP daemon (ASNFTPD) - Unknown owner - C:\WINDOWS\AsnFtpd.exe

Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section.

Right click on MSNSVC and SMSC and delete them.

Reboot and post a last log.

#13 gotsum

gotsum
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 25 October 2005 - 05:40 PM

O23 - Service: ASNFTP daemon (ASNFTPD) - Unknown owner - C:\WINDOWS\AsnFtpd.exe
I don't recall installing the above

Also before all of this happened the activity light on my dsl modem would only blink when i was surfing or downloading. Now it blinks even though i've stepped away from my computer (still connected ofcourse). When my roomate is the only one online however, the modem seems normal ... activity light blinks only when he is at his computer it stops when he walks away. I also checked the bytes sent/receieved and there is definitely something that is transmitting from my computer without me doing it.!?!?

Logfile of HijackThis v1.99.1
Scan saved at 6:30:22 PM, on 10/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AsnFtpd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ASNFTP daemon (ASNFTPD) - Unknown owner - C:\WINDOWS\AsnFtpd.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 26 October 2005 - 12:47 PM

Click on start then run and type services.msc and press enter. Scroll down till you see asnftp daemon and double click on it. Then stop the service and set its startup to disabled.

Now, start hijackthis and click on the config button and then the misc tools button. Then click on the delete an nt service button.

In the field type ASNFTPD and press the OK button.

Reboot and post a new log and tell me if the activity lights stopped.

#15 gotsum

gotsum
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 27 October 2005 - 02:07 PM

Everything is getting better. All of a sudden i have this poka poka thing?!? :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 2:01:31 PM, on 10/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\etb\pokapoka78.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [System service78] C:\WINDOWS\etb\pokapoka78.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20695ADB-AC46-42EB-9A67-808D1CB182F1}: NameServer = 151.197.0.38 151.197.0.39
O17 - HKLM\System\CS1\Services\Tcpip\..\{20695ADB-AC46-42EB-9A67-808D1CB182F1}: NameServer = 151.197.0.38 151.197.0.39
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users