Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Green Links And 1111


  • This topic is locked This topic is locked
9 replies to this topic

#1 Pitapockets

Pitapockets

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 18 October 2005 - 12:42 PM

Okay. Here's the story.
My computer had been running slow and freezing up. So I downloaded ad-aware and got rid of alot of that crap. But I still keep getting green links on words that should be plain text and in my Favorites there's a folder called 1111 that returns when I delete it.
I got HijackThis but I don't know what to do. So, I hope you can help.
So without further ado...

Logfile of HijackThis v1.99.1
Scan saved at 1:39:07 PM, on 10/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\T3duZXIA\command.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\alg.exe
C:\winc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1125718142\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1125718142\ee\AOLServiceHost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsc32.dll
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Client Update] C:\WINDOWS\wup.exe
O4 - HKLM\..\Run: [REGRUN] C:\winc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125718142\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\Run: [nyehqkc] C:\WINDOWS\nyehqkc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c18.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/gods...gsm1009_sp2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} (Installer Class) - http://downloads.shopathomeselect.com/axin...all4110_sp2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{91872B62-9506-47C6-9DA8-473A211B65F9}: NameServer = 151.202.0.85 151.203.0.85
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

BC AdBot (Login to Remove)

 


#2 Pitapockets

Pitapockets
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 19 October 2005 - 06:04 PM

<bumped>
I don't want to sound pushy, but I could really use your help.
It may be in my head, but I seem to get more and more pop ups and green links each time I connect.
If you don't know what to do, perhaps you can reccomend another help discussion boards...

#3 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 22 October 2005 - 02:31 AM

Hello and Welcome

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

Before proceeding any further, please create a new directory - C:\PROGRAM FILES\HIJACKTHIS\
Re-locate your HijackThis files to the new directory



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
  • CMSystem / CAS Client
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Click Start->Run - type SERVICES.MSC & then click on the OK button
  • Locate the service - Command Service (cmdService)
  • Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  • Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  • In the popup box that appears, type in "Service name" & then click on the OK button
Answer No when prompted to reboot

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


With HiJackThis & place a check next to these items and select "Fix checked":

O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsc32.dll
O4 - HKLM\..\Run: [Client Update] C:\WINDOWS\wup.exe
O4 - HKLM\..\Run: [REGRUN] C:\winc.exe
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\Run: [nyehqkc] C:\WINDOWS\nyehqkc.exe
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c18.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/gods...gsm1009_sp2.cab
O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} (Installer Class) - http://downloads.shopathomeselect.com/axin...all4110_sp2.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\Program Files\CMSystem\
    C:\Program Files\System Files\
    C:\WINDOWS\T3duZXIA\
Locate and delete the following files:
  • C:\WINDOWS\system32\nsc32.dll
    C:\WINDOWS\wup.exe
    C:\winc.exe
    C:\WINDOWS\system32\APD123.exe
    C:\WINDOWS\nyehqkc.exe
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)
  • Select Drive C: & click the 'OK' button
  • Select the following options:
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click the 'OK' button
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Please perform an online scan with Internet Explorer at one of the following sites:Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’

It would produce a log called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis
  • Online scan
  • Antispyware.log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

#4 Pitapockets

Pitapockets
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 22 October 2005 - 03:39 PM

Well, the green links and 1111 are still there but so far, no pop ups. It also seem there are less green links, but that could just be wishful thinking. :thumbsup:

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

My computer will not allow me to get rid of
C:\WINDOWS\T3duZXIA\

Current Logs:

HighJack This
Logfile of HijackThis v1.99.1
Scan saved at 4:34:20 PM, on 10/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\AOL\1125718142\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1125718142\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1125718142\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HighJack This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} - C:\WINDOWS\system32\bho.dll
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italefod.dll
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125718142\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{91872B62-9506-47C6-9DA8-473A211B65F9}: NameServer = 151.202.0.85 151.203.0.85
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe


Kaspersky Web Scanner
None. But my default anti-virus is Kaspersky, and I do real-time updates.

Antispyware.log
4 item(s) classified as Cookie

#5 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 22 October 2005 - 07:29 PM

C:\WINDOWS\T3duZXIA\

If you have rebooted since your last attempt, try deleting the folder again. It shouldn't give you any problems now.


Have HijackThis fix these:

O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} - C:\WINDOWS\system32\bho.dll
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italefod.dll



If you have Kaspersky installed, you should still do an online scan at Panda ActiveScan
  • Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  • Click Scan Now
  • Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply along with a new HJT log

#6 Pitapockets

Pitapockets
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 23 October 2005 - 01:43 AM

Currently, No green links, No 1111 folder, No pop-ups! :thumbsup:

HighJack This

Logfile of HijackThis v1.99.1
Scan saved at 2:38:46 AM, on 10/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\HighJack This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125718142\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{91872B62-9506-47C6-9DA8-473A211B65F9}: NameServer = 151.202.0.85 151.203.0.85
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe



Panda ActiveScan

Adware:adware/consumeralertsystemReported C:\Documents and Settings\Owner\Local Settings\Temp\cassetup.exe
Adware:adware/kingporn Reported C:\Documents and Settings\Owner\Local Settings\Temp\ExtractDLL.dll
Adware:adware/pacimedia Reported C:\Documents and Settings\Owner\Favorites\1111\1111.url
Adware:adware/exact.bargainbuddyReported C:\WINDOWS\SYSTEM32\bho.dll
Spyware:spyware/surfsidekick Reported C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/gator Reported C:\WINDOWS\GatorUninstaller_cme.log
Adware:adware/twain-tech Reported C:\WINDOWS\smdat32a.sys
Adware:adware program Reported C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/cws Reported C:\Documents and Settings\Owner\Favorites\Shop
Adware:adware/elitebar Reported C:\WINDOWS\etb
Adware:adware/wupd Reported Windows Registry
Spyware:Cookie/2o7.net Reported C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/64.62.232 Reported C:\Documents and Settings\Owner\Cookies\owner@64.62.232[1].txt
Spyware:Cookie/888 Reported C:\Documents and Settings\Owner\Cookies\owner@888[2].txt
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Reported C:\Documents and Settings\Owner\Cookies\owner@adopt.hbmediapro[2].txt
Spyware:Cookie/Secrets Reported C:\Documents and Settings\Owner\Cookies\owner@advertisers-secrets[1].txt
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
Spyware:Cookie/Ask Reported C:\Documents and Settings\Owner\Cookies\owner@ask[2].txt
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Enhance Reported C:\Documents and Settings\Owner\Cookies\owner@c.enhance[1].txt
Spyware:Cookie/GoClick Reported C:\Documents and Settings\Owner\Cookies\owner@c.goclick[2].txt
Spyware:Cookie/GoStats Reported C:\Documents and Settings\Owner\Cookies\owner@c2.gostats[2].txt
Spyware:Cookie/GoStats Reported C:\Documents and Settings\Owner\Cookies\owner@c3.gostats[2].txt
Spyware:Cookie/Centralmedia Reported C:\Documents and Settings\Owner\Cookies\owner@centralmedia[2].txt
Spyware:Cookie/360i Reported C:\Documents and Settings\Owner\Cookies\owner@ct.360i[1].txt
Spyware:Cookie/Kazaa Networks Reported C:\Documents and Settings\Owner\Cookies\owner@desktop.kazaa[1].txt
Spyware:Cookie/did-it Reported C:\Documents and Settings\Owner\Cookies\owner@did-it[1].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/empnads Reported C:\Documents and Settings\Owner\Cookies\owner@empnads[1].txt
Spyware:Cookie/FortuneCity Reported C:\Documents and Settings\Owner\Cookies\owner@fortunecity[2].txt
Spyware:Cookie/GoStats Reported C:\Documents and Settings\Owner\Cookies\owner@gostats[2].txt
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
Spyware:Cookie/Screensavers Reported C:\Documents and Settings\Owner\Cookies\owner@i.screensavers[2].txt
Spyware:Cookie/VirtualBouncer Reported C:\Documents and Settings\Owner\Cookies\owner@install.spywarelabs[1].txt
Spyware:Cookie/Kount Reported C:\Documents and Settings\Owner\Cookies\owner@kount[1].txt
Spyware:Cookie/LinkExchange Reported C:\Documents and Settings\Owner\Cookies\owner@linkexchange[2].txt
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
Spyware:Cookie/Mp3search Reported C:\Documents and Settings\Owner\Cookies\owner@mp3search[2].txt
Spyware:Cookie/Qsrch Reported C:\Documents and Settings\Owner\Cookies\owner@newnet.qsrch[1].txt
Spyware:Cookie/Paypopup Reported C:\Documents and Settings\Owner\Cookies\owner@paypopup[1].txt
Spyware:Cookie/Pollstar Reported C:\Documents and Settings\Owner\Cookies\owner@pollstar[1].txt
Spyware:Cookie/Seeq Reported C:\Documents and Settings\Owner\Cookies\owner@seeq[2].txt
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Owner\Cookies\owner@servedby.advertising[2].txt
Spyware:Cookie/Reliablestats Reported C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[1].txt
Spyware:Cookie/Target Reported C:\Documents and Settings\Owner\Cookies\owner@target[2].txt
Spyware:Cookie/Toplist Reported C:\Documents and Settings\Owner\Cookies\owner@toplist[2].txt
Spyware:Cookie/TopRebates.com Reported C:\Documents and Settings\Owner\Cookies\owner@toprebates[2].txt
Spyware:Cookie/Tradedoubler Reported C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[2].txt
Spyware:Cookie/Valueclick Reported C:\Documents and Settings\Owner\Cookies\owner@valueclick[1].txt
Spyware:Cookie/Affiliate fuel Reported C:\Documents and Settings\Owner\Cookies\owner@www.affiliatefuel[2].txt
Spyware:Cookie/Mp3s Hits Reported C:\Documents and Settings\Owner\Cookies\owner@www.mp3bleeps[1].txt
Spyware:Cookie/seeqA Reported C:\Documents and Settings\Owner\Cookies\owner@www.seeq[2].txt
Spyware:Cookie/TopRebates.com Reported C:\Documents and Settings\Owner\Cookies\owner@www.toprebates[2].txt
Spyware:Cookie/MyWay Reported C:\Documents and Settings\Owner\Cookies\owner@www.xzoomy[2].txt
Spyware:Cookie/Buydomains Reported C:\Documents and Settings\Owner\Cookies\owner@www47.buydomains[1].txt
Spyware:Cookie/Seeq Reported C:\Documents and Settings\Owner\Cookies\owner@www48.seeq[1].txt
Spyware:Cookie/Xiti Reported C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
Spyware:Cookie/Yadro Reported C:\Documents and Settings\Owner\Cookies\owner@yadro[2].txt
Virus:Exploit/ByteVerify Reported C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv620.jar-4a354738-3c872347.zip[Dummy.class]
Spyware:Cookie/2o7.net Reported C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/64.62.232 Reported C:\Documents and Settings\Owner\Cookies\owner@64.62.232[1].txt
Spyware:Cookie/888 Reported C:\Documents and Settings\Owner\Cookies\owner@888[2].txt
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Reported C:\Documents and Settings\Owner\Cookies\owner@adopt.hbmediapro[2].txt
Spyware:Cookie/Secrets Reported C:\Documents and Settings\Owner\Cookies\owner@advertisers-secrets[1].txt
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
Spyware:Cookie/Ask Reported C:\Documents and Settings\Owner\Cookies\owner@ask[2].txt
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Enhance Reported C:\Documents and Settings\Owner\Cookies\owner@c.enhance[1].txt
Spyware:Cookie/GoClick Reported C:\Documents and Settings\Owner\Cookies\owner@c.goclick[2].txt
Spyware:Cookie/GoStats Reported C:\Documents and Settings\Owner\Cookies\owner@c2.gostats[2].txt
Spyware:Cookie/GoStats Reported C:\Documents and Settings\Owner\Cookies\owner@c3.gostats[2].txt
Spyware:Cookie/Centralmedia Reported C:\Documents and Settings\Owner\Cookies\owner@centralmedia[2].txt
Spyware:Cookie/360i Reported C:\Documents and Settings\Owner\Cookies\owner@ct.360i[1].txt
Spyware:Cookie/Kazaa Networks Reported C:\Documents and Settings\Owner\Cookies\owner@desktop.kazaa[1].txt
Spyware:Cookie/did-it Reported C:\Documents and Settings\Owner\Cookies\owner@did-it[1].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/empnads Reported C:\Documents and Settings\Owner\Cookies\owner@empnads[1].txt
Spyware:Cookie/FortuneCity Reported C:\Documents and Settings\Owner\Cookies\owner@fortunecity[2].txt
Spyware:Cookie/GoStats Reported C:\Documents and Settings\Owner\Cookies\owner@gostats[2].txt
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
Spyware:Cookie/Screensavers Reported C:\Documents and Settings\Owner\Cookies\owner@i.screensavers[2].txt
Spyware:Cookie/VirtualBouncer Reported C:\Documents and Settings\Owner\Cookies\owner@install.spywarelabs[1].txt
Spyware:Cookie/Kount Reported C:\Documents and Settings\Owner\Cookies\owner@kount[1].txt
Spyware:Cookie/LinkExchange Reported C:\Documents and Settings\Owner\Cookies\owner@linkexchange[2].txt
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
Spyware:Cookie/Mp3search Reported C:\Documents and Settings\Owner\Cookies\owner@mp3search[2].txt
Spyware:Cookie/Qsrch Reported C:\Documents and Settings\Owner\Cookies\owner@newnet.qsrch[1].txt
Spyware:Cookie/Paypopup Reported C:\Documents and Settings\Owner\Cookies\owner@paypopup[1].txt
Spyware:Cookie/Pollstar Reported C:\Documents and Settings\Owner\Cookies\owner@pollstar[1].txt
Spyware:Cookie/Seeq Reported C:\Documents and Settings\Owner\Cookies\owner@seeq[2].txt
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Owner\Cookies\owner@servedby.advertising[2].txt
Spyware:Cookie/Reliablestats Reported C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[1].txt
Spyware:Cookie/Target Reported C:\Documents and Settings\Owner\Cookies\owner@target[2].txt
Spyware:Cookie/Toplist Reported C:\Documents and Settings\Owner\Cookies\owner@toplist[2].txt
Spyware:Cookie/TopRebates.com Reported C:\Documents and Settings\Owner\Cookies\owner@toprebates[2].txt
Spyware:Cookie/Tradedoubler Reported C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[2].txt
Spyware:Cookie/Valueclick Reported C:\Documents and Settings\Owner\Cookies\owner@valueclick[1].txt
Spyware:Cookie/Affiliate fuel Reported C:\Documents and Settings\Owner\Cookies\owner@www.affiliatefuel[2].txt
Spyware:Cookie/Mp3s Hits Reported C:\Documents and Settings\Owner\Cookies\owner@www.mp3bleeps[1].txt
Spyware:Cookie/seeqA Reported C:\Documents and Settings\Owner\Cookies\owner@www.seeq[2].txt
Spyware:Cookie/TopRebates.com Reported C:\Documents and Settings\Owner\Cookies\owner@www.toprebates[2].txt
Spyware:Cookie/MyWay Reported C:\Documents and Settings\Owner\Cookies\owner@www.xzoomy[2].txt
Spyware:Cookie/Buydomains Reported C:\Documents and Settings\Owner\Cookies\owner@www47.buydomains[1].txt
Spyware:Cookie/Seeq Reported C:\Documents and Settings\Owner\Cookies\owner@www48.seeq[1].txt
Spyware:Cookie/Xiti Reported C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
Spyware:Cookie/Yadro Reported C:\Documents and Settings\Owner\Cookies\owner@yadro[2].txt
Adware:Adware/ISearch Reported C:\Documents and Settings\Owner\Local Settings\Temp\cmdinst.exe
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[2].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@belnk[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@dist.belnk[2].txt
Spyware:Spyware/SafeSurf Reported C:\Documents and Settings\Owner\Local Settings\Temp\crptclrs.tmp
Spyware:Spyware/SafeSurf Reported C:\Documents and Settings\Owner\Local Settings\Temp\ExtractDLL.dll
Spyware:Spyware/SurfSideKick Reported C:\Documents and Settings\Owner\Local Settings\Temp\iA3.tmp
Adware:Adware/BigTrafficNet Reported C:\Program Files\HighJack This\backups\backup-20051022-102205-466.dll
Spyware:Spyware/SafeSurf Reported C:\Program Files\HighJack This\backups\backup-20051022-234942-764.dll
Adware:Adware/WUpd Reported C:\WINDOWS\Downloaded Program Files\WinAdServX.dll
Spyware:Spyware/SafeSurf Reported C:\WINDOWS\system32\ichckupd.exe
Spyware:Spyware/SafeSurf Reported C:\WINDOWS\system32\italefod.dll
Adware:Adware/ISearch Reported C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe

Edited by Pitapockets, 23 October 2005 - 02:55 AM.


#7 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 23 October 2005 - 04:26 AM

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate & delete these files/folders: (inform me of any which you fail to find/delete)


C:\WINDOWS\SYSTEM32\bho.dll
C:\WINDOWS\GatorUninstaller_cme.log
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\system32\ichckupd.exe
C:\WINDOWS\system32\italefod.dll
C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\Documents and Settings\Owner\Favorites\Shop
C:\WINDOWS\etb
C:\Documents and Settings\Owner\Favorites\1111\




Download & install - CleanUp.exe

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!



Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...
  • In the popup box that appears, type in C:\WINDOWS\Downloaded Program Files\WinAdServX.dll
  • Click the Open button.
  • Click YES when prompted to restart your computer.
Reboot & post a new HJT log

#8 Pitapockets

Pitapockets
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 23 October 2005 - 02:11 PM

Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 3:09:48 PM, on 10/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1125718142\ee\AOLHostManager.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\Program Files\Common Files\AOL\1125718142\ee\AOLServiceHost.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1125718142\ee\AOLServiceHost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HighJack This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125718142\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{91872B62-9506-47C6-9DA8-473A211B65F9}: NameServer = 151.202.0.85 151.203.0.85
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

#9 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 23 October 2005 - 02:33 PM

Your system is clean. Please follow these simple steps in order to keep your computer clean and secure:
  • CLEAR & RESET SYSTEM RESTORE'S CACHE
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  • DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  • SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  • FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  • Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  • SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  • AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here


  • SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here


  • IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here


  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day. Posted Image

Please respond to this thread one more time so we can mark this thread as resolved.

#10 Pitapockets

Pitapockets
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 23 October 2005 - 07:25 PM

Thank you so much for helping me with this. You're a freakin' genius. :thumbsup:
I'll definitely be keeping my new removal programs updated.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users