Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log - the_doctor2004


  • This topic is locked This topic is locked
10 replies to this topic

#1 the_doctor2004

the_doctor2004

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 07 October 2004 - 07:12 PM

hey guys
i'm a student at grand valley state university and it's important that i can access the internet without complications. i do, however, recieve several popups and other things that i can't get rid off even through ad-aware. also, any further firewall suggestions would be appriciated.
thanks

Logfile of HijackThis v1.97.7
Scan saved at 8:11:44 PM, on 10/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\winmplayer.exe
C:\WINDOWS\System32\hunt3dx.exe
C:\WINDOWS\System32\k1ss3d.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Documents and Settings\Alex.AL\Application Data\amee.exe
C:\WINDOWS\System32\??plorer.exe
C:\WINDOWS\System32\ctfmon.exe
c:\windows\system32\q45d4e5\apc.exe
C:\WINDOWS\FSScrCtl.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\q45d4e5\pp1.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\cmd.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\net.exe
C:\Documents and Settings\Alex.AL\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\kommzw.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\Run: [System Restore] hunt3dx.exe
O4 - HKLM\..\Run: [Start It Upping] k1ss3d.exe
O4 - HKLM\..\Run: [INFO DATA] c:\windows\system32\q45d4e5\repcale.exe c:\windows\system32\q45d4e5\apc.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\RunServices: [System Restore] hunt3dx.exe
O4 - HKLM\..\RunServices: [Start It Upping] k1ss3d.exe
O4 - HKLM\..\RunServices: [INFO DATA] c:\windows\system32\q45d4e5\repcale.exe c:\windows\system32\q45d4e5\apc.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [System Restore] hunt3dx.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Alex.AL\Application Data\amee.exe
O4 - HKCU\..\Run: [Topfgv] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Start It Upping] k1ss3d.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.187.110/winsearchie32.chm::/winsearchie32.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

BC AdBot (Login to Remove)

 


m

#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:40 PM

Posted 08 October 2004 - 03:50 AM

Hi the_doctor2004

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

Please send these files here: dsrk3r/ at /yahoo.com, replace / at / with @ . Thank you.

Open your email program (or your online mail page) and attach these files:

C:\WINDOWS\System32\winmplayer.exe <-- this file
C:\WINDOWS\System32\hunt3dx.exe <-- this file
C:\WINDOWS\System32\k1ss3d.exe <-- this file
C:\Documents and Settings\Alex.AL\Application Data\amee.exe <-- this file
C:\WINDOWS\System32\??plorer.exe <-- this file, look for a filename that ends with plorer
C:\WINDOWS\System32\kommzw.exe <-- this file

c:\windows\system32\q45d4e5\ <-- all files in this folder

You are running an outdated version of HijackThis.
Please download the latest version of HijackThis!: Download here 1.98.2
Save it in a permanent folder such as c:\hjt, execute HijackThis.exe, and post a new log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 the_doctor2004

the_doctor2004
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 08 October 2004 - 07:29 AM

sorry i didn't know my version was outdated. aslo, why am i sending those files to that address?

Logfile of HijackThis v1.98.2
Scan saved at 8:28:13 AM, on 10/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\winmplayer.exe
C:\WINDOWS\System32\hunt3dx.exe
C:\WINDOWS\System32\k1ss3d.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Documents and Settings\Alex.AL\Application Data\amee.exe
C:\WINDOWS\System32\??plorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\FSScrCtl.exe
c:\windows\system32\q45d4e5\apc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alex.AL\Desktop\HijackThis-1.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\kommzw.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\Run: [System Restore] hunt3dx.exe
O4 - HKLM\..\Run: [Start It Upping] k1ss3d.exe
O4 - HKLM\..\Run: [INFO DATA] c:\windows\system32\q45d4e5\repcale.exe c:\windows\system32\q45d4e5\apc.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\RunServices: [System Restore] hunt3dx.exe
O4 - HKLM\..\RunServices: [Start It Upping] k1ss3d.exe
O4 - HKLM\..\RunServices: [INFO DATA] c:\windows\system32\q45d4e5\repcale.exe c:\windows\system32\q45d4e5\apc.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [System Restore] hunt3dx.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Alex.AL\Application Data\amee.exe
O4 - HKCU\..\Run: [Topfgv] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Start It Upping] k1ss3d.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.187.110/winsearchie32.chm::/winsearchie32.exe
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Nbagckib.dll

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:40 PM

Posted 08 October 2004 - 08:39 AM

why am i sending those files to that address?

For an analysis. This file ??plorer.exe is part of a recent infection and we need to know more about it, how it's installed, what it does, etc. When I see such a file I'm asking for it. Please do me this favour :thumbsup:

I'll be right back with the instructions.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:40 PM

Posted 08 October 2004 - 09:45 AM

the_doctor2004 there is no problem if you don't want to send me the files :thumbsup: .

Please go to Add/Remove programs and remove:
Viewpoint if present.

Print these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode: Starting your computer in Safe mode, use the F8 method

Run HijackThis!, press "Scan" and tick the boxes next to all these, close all other windows and browsers, then press "Fix Checked" button.

O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\kommzw.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\Run: [System Restore] hunt3dx.exe
O4 - HKLM\..\Run: [Start It Upping] k1ss3d.exe
O4 - HKLM\..\Run: [INFO DATA] c:\windows\system32\q45d4e5\repcale.exe c:\windows\system32\q45d4e5\apc.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\RunServices: [System Restore] hunt3dx.exe
O4 - HKLM\..\RunServices: [Start It Upping] k1ss3d.exe
O4 - HKLM\..\RunServices: [INFO DATA] c:\windows\system32\q45d4e5\repcale.exe c:\windows\system32\q45d4e5\apc.exe
O4 - HKCU\..\Run: [System Restore] hunt3dx.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Alex.AL\Application Data\amee.exe
O4 - HKCU\..\Run: [Topfgv] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [Start It Upping] k1ss3d.exe

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.187.110/winsearchie32.chm::/winsearchie32.exe


Search for these files and delete them if found:
C:\WINDOWS\System32\winmplayer.exe <-- this file
C:\WINDOWS\System32\hunt3dx.exe <-- this file
C:\WINDOWS\System32\k1ss3d.exe <-- this file
C:\Documents and Settings\Alex.AL\Application Data\amee.exe <-- this file
C:\WINDOWS\System32\??plorer.exe <-- this file, look for a filename that ends with plorer

Note: there is a legit file explorer.exe in the c:\windows and C:\WINDOWS\system32\dllcache folder. Don't delete explorer.exe in those two folders.

C:\WINDOWS\System32\kommzw.exe <-- this file
c:\nosuch.mht <-- this file

Delete these folders:
q45d4e5 in c:\windows\system32\
Viewpoint in C:\Program Files\

REBOOT normally.

Perform a full scan here: Trendmicro, tick AutoClean and let him remove anything he finds.

Run HijackThis! again and post a new log.

Edited by cryo, 08 October 2004 - 09:46 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#6 the_doctor2004

the_doctor2004
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 10 October 2004 - 11:56 PM

sorry i never e-mailed the files. my friend read the post and deleted the files before i could tell him to send the files u wanted. i tried that house call thing and i couldn't get that to work. anyway, here's my latest log:

Logfile of HijackThis v1.98.2
Scan saved at 12:53:22 AM, on 10/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Alex.AL\Desktop\HijackThis-1.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [ugihkruhyglq] C:\WINDOWS\System32\ifdccvt.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Web Offer] Command /c del C:\WINDOWS\System32\EZPOPS~1.EXE
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...9c2abfd4ad9ef19
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Nbagckib.dll

:thumbsup: :flowers:

#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:40 PM

Posted 11 October 2004 - 01:52 AM

Hi

You have new adware installed !

1. Please unistall this program from Add\Remove Programs.
Windows Syncroad / WindUpdates

2. Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

3. Download Ad-aware SE: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

4. Print these instructions because you are not able to access the Internet in SafeMode.

5. Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

6. REBOOT into SafeMode: Starting your computer in Safe mode, use the F8 method

7. Run HijackThis!, press "Scan" and tick the boxes next to all these, close all other windows and browsers, then press "Fix Checked" button.

O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [ugihkruhyglq] C:\WINDOWS\System32\ifdccvt.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKCU\..\RunOnce: [Web Offer] Command /c del C:\WINDOWS\System32\EZPOPS~1.EXE

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...9c2abfd4ad9ef19

O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Nbagckib.dll

Search for these files and delete them if found:
C:\WINDOWS\System32\ifdccvt.exe <-- this file
C:\WINDOWS\System32\ifdccvt.exe <-- this file
C:\WINDOWS\conscorr.exe <-- this file
C:\WINDOWS\System32\EZPOPS~1.EXE <-- this file

Delete these folders:
Windows SyncroAd in C:\Program Files\

8. Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

9. Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

10. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

11. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

12. Check your Internet Explorer Settings:
1. Open Internet Explorer
2. Click Tools / Internet Options
3. Click the Security Tab
4. Click on the Internet Icon
5. Set Security level for this zone to Medium
6. Click OK to close "Internet Options" Window

13. Perform a full scan here: Trendmicro, tick AutoClean and let him remove anything he finds.

14. Run HijackThis! again and post a new log.

Edited by cryo, 19 October 2004 - 06:34 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#8 the_doctor2004

the_doctor2004
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 18 October 2004 - 07:26 AM

help. i've got pop ups every where and every time i run adaware it finds new stuff. even if i run it twice in a row.

Logfile of HijackThis v1.98.2
Scan saved at 8:25:11 AM, on 10/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\winmplayer.exe
C:\WINDOWS\System32\system.exe
C:\Program Files\Win Comm\WinComm.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\hunt3dx.exe
C:\Documents and Settings\Alex.AL\Application Data\amee.exe
C:\Program Files\Win Comm\WinLock.exe
C:\Documents and Settings\Alex.AL\mnyz.exe
C:\WINDOWS\FSScrCtl.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Alex.AL\Desktop\HijackThis-1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...ount_id=1000489
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...ount_id=1000489
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=1000489
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...ount_id=1000489
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://yoursearcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yoursearcher.com/index.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\Run: [Microsoft Security Updater] system.exe
O4 - HKLM\..\Run: [System Restore] hunt3dx.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Sys29] c:\windows\system32\wintsc32.exe
O4 - HKLM\..\Run: [uvjcclzggidz] C:\WINDOWS\System32\ifdccvt.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [cfkt] C:\WINDOWS\cfkt.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\RunServices: [Microsoft Security Updater] system.exe
O4 - HKLM\..\RunServices: [System Restore] hunt3dx.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Security Updater] system.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEeng.exe
O4 - HKCU\..\Run: [System Restore] hunt3dx.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Alex.AL\Application Data\amee.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Nbagckib.dll

#9 CalamityKen

CalamityKen

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Location:Whitby. Ont.
  • Local time:09:40 PM

Posted 18 October 2004 - 10:28 AM

the_doctor2004, you are in good hands.

To remove the new infections:

The system has WORM_RBOT.ZO and Trojan.Mitglieder.B and W32/Agobot-BH by the presence of C:\WINDOWS\System32\winmplayer.exe and C:\WINDOWS\System32\system.exe and C:\Program Files\Win Comm\WinComm.exe
http://uk.trendmicro-europe.com/enterprise...me=WORM_RBOT.ZO
http://securityresponse.symantec.com/avcen...tglieder.b.html
http://www.sophos.com/virusinfo/analyses/w32agobotbh.html

Run an online virus scan:
http://housecall.trendmicro.com
http://www.mcafee.com/myapps/mfs/default.asp

Keep your anti virus application updated daily.

You should install Windows Service Pack 2 and ALL Critical Updates to help from being continually infected.
In Internet Explorer go to Tools then Windows Updates and install each patch one by one rebooting when necessary.

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.

Move HijackThis.exe into this folder as you do not want the HijackThis backup logs
all over your Desktop.

When you run HijackThis from C:\HJT folder by double clicking on it and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

Make sure 'show all files' is enabled:
http://service1.symantec.com/SUPPORT/tsgen...=&osv=&osv_lvl=

Boot into Safe Mode by tapping F8 key repeatedly at bootup.
More detailed instructions here:
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

Go to Add/Remove Programs and uninstall Internet Optimizer and Viewpoint Manager if present.

Delete if still present:
C:\WINDOWS\cfkt.exe
C:\WINDOWS\System32\winmplayer.exe
C:\WINDOWS\System32\system.exe
C:\WINDOWS\System32\hunt3dx.exe
C:\WINDOWS\System32\ifdccvt.exe
C:\WINDOWS\System32\Nbagckib.dll
C:\Program Files\Internet Explorer\IEeng.exe
C:\Documents and Settings\Alex.AL\Application Data\amee.exe
<== files

C:\WINDOWS\EliteToolBar
C:\Program Files\Win Comm
c:\program files\180solutions
C:\Program Files\Power Scan
C:\Program Files\SideFind
<== folders

Start HijackThis and tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked" if still present.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...ount_id=1000489
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...ount_id=1000489
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=1000489
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...ount_id=1000489
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://yoursearcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://yoursearcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yoursearcher.com/index.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O4 - HKLM\..\Run: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\Run: [Microsoft Security Updater] system.exe
O4 - HKLM\..\Run: [System Restore] hunt3dx.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Sys29] c:\windows\system32\wintsc32.exe
O4 - HKLM\..\Run: [Microsoft Security Updater] system.exe
O4 - HKLM\..\Run: [System Restore] hunt3dx.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [uvjcclzggidz] C:\WINDOWS\System32\ifdccvt.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [cfkt] C:\WINDOWS\cfkt.exe
O4 - HKLM\..\RunServices: [Microsoft media services] winmplayer.exe
O4 - HKLM\..\RunServices: [Microsoft Security Updater] system.exe
O4 - HKLM\..\RunServices: [System Restore] hunt3dx.exe
O4 - HKCU\..\Run: [Microsoft Security Updater] system.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEeng.exe
O4 - HKCU\..\Run: [System Restore] hunt3dx.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Alex.AL\Application Data\amee.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Nbagckib.dll


Reboot and Install the prevention protection below and help your friends from being infected on the Internet.

Empty the Recycle Bin.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
Index.dat Suite helps with this.
http://support.it-mate.co.uk/?mode=Products&p=index.datsuite

Insure that Index.dat Suite is Setup to empty the Temp folders especially
C:\Documents and Settings\{user}\Local Settings\Temp
then run the Find and create the run.bat and reboot to have it remove what it finds.

{user} is the Alex.AL User Account ID.
Removal of infections and prevention protection should be installed on ALL User Account IDS.

Download and install WinPatrol.
http://www.winpatrol.com

Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm

Install IE-SPYAD then run the install.bat in the ie-spyad folder and SpywareBlaster then keep them up to date as today's Internet is full of nasty infections.
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
http://www.javacoolsoftware.com/spywareblaster.html

#10 the_doctor2004

the_doctor2004
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 18 October 2004 - 11:06 AM

thanks. here's my log as it looks now.

Logfile of HijackThis v1.98.2
Scan saved at 12:05:13 PM, on 10/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\ISTsvc\istsvc.exe
c:\windows\system32\winstat\apc.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
c:\windows\system32\winstat\apc.exe
C:\WINDOWS\FSScrCtl.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\winstat\wshield.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alex.AL\Desktop\HijackThis-1.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [SP2 data] c:\windows\system32\winstat\repcale.exe c:\windows\system32\winstat\apc.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\wintsc32.exe
O4 - HKLM\..\RunServices: [SP2 data] c:\windows\system32\winstat\repcale.exe c:\windows\system32\winstat\apc.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SP2 data] c:\windows\system32\winstat\repcale.exe c:\windows\system32\winstat\apc.exe
O4 - HKCU\..\RunServices: [SP2 data] c:\windows\system32\winstat\repcale.exe c:\windows\system32\winstat\apc.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

#11 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:40 PM

Posted 19 October 2004 - 06:35 AM

the_doctor2004 you said

it's important that i can access the internet without complications

But I can see you have some diffculties following our instructions.

I will write them again. Please tell me if you have problems with these:

I. You should activate your Windows Firewall or install a third party firewall:
A. Activate Windows Firewall: Use the Internet Connection Firewall

or

B. Install a third party firewall. Read this tutorial and install one: Understanding and Using Firewalls

II. You should go ASAP to Windows Update and install all Critical Updates. Take seriously into consideration installation of the Service Pack 2. Follow this link: http://www.windowsupdate.com/ . You will see on your left a section called critical updates. Click on that section and install everything that you can. When it prompts you to reboot, do so. Then repeat this process again until there are no more critical updates listed.

III. CalamityKen and myself told you three times to scan your computer with an online antivirus. Read the instructions below (step no. 11).

IV. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

V. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

VI. You are running HijackThis from your Desktop. You should move HijackThis to it's own, permanent folder, e.g. c:\HJT. This has to be done as HijackThis creates backups. You may need to use those backups.
Read this tutorial: Putting HijackThis Into It's Own folder

Print these instructions because you are not able to access the Internet in SafeMode.

1. Download Ad-aware SE 1.05: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

2. Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

3. Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

4. REBOOT into SafeMode: Starting your computer in Safe mode, use the F8 method

Open Windows Task Manager.
Press CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs, locate this process: APC.EXE
If found, select the malware process, then press the End Process button
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.

5. Run HijackThis!, close all other windows and browsers, press Scan, and put a check mark next to all these:

O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [SP2 data] c:\windows\system32\winstat\repcale.exe c:\windows\system32\winstat\apc.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\wintsc32.exe
O4 - HKLM\..\RunServices: [SP2 data] c:\windows\system32\winstat\repcale.exe c:\windows\system32\winstat\apc.exe
O4 - HKCU\..\Run: [SP2 data] c:\windows\system32\winstat\repcale.exe c:\windows\system32\winstat\apc.exe
O4 - HKCU\..\RunServices: [SP2 data] c:\windows\system32\winstat\repcale.exe c:\windows\system32\winstat\apc.exe

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab


Then press Fix Checked button.

6. Search for these files and delete them if found:
C:\windows\system32\wintsc32.exe <-- this file

Delete these folders:
c:\program files\180solutions\ <-- this folder
c:\windows\system32\winstat\ <-- this folder
C:\Program Files\ISTsvc\ <-- this folder

7. Empty the Recycle Bin.

8. Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

9. With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

10. REBOOT normally.

11. Run at least an online virus scan:
http://housecall.trendmicro.com
http://www.mcafee.com/myapps/mfs/default.asp

12. Run HijackThis! again and post a new log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users