Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - ttoztr1


  • This topic is locked This topic is locked
18 replies to this topic

#1 ttoztr1

ttoztr1

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 19 October 2004 - 03:45 PM

I am using a laptop from work and "caught" a virus. I am being redirected to "easy-search.biz" or "worldtrafficer" websites. My LAN settings in Internet Explorer are being changed to use a proxy. Any help would be much appreciated. I did try to "clean" it before I found this site (CWShredder, Ad Aware, Symantec) without any luck.

Here is the current log after restarting:

Logfile of HijackThis v1.98.0
Scan saved at 4:34:56 PM, on 10/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BridgeDeCor] BridgeDeCor.exe
O4 - HKLM\..\Run: [SMA Utility] idsetnwa.exe /R
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098218010444
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\Software\..\Telephony: DomainName = hollingsworthgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com


Thanks for all your help.

BC AdBot (Login to Remove)

 


#2 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:33 AM

Posted 19 October 2004 - 06:21 PM

Hi,

You have used an older version of HijackThis, please do this:

Update HijackThis to version 1.98.2
To do that, do this;
• run HijackThis
select config> misc tools and select "update online". then yes.

If that doesn’t work download a new copy Here and then delete your old copy


Run a scan and post a new Hijackthis log after you are done.

#3 ttoztr1

ttoztr1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 19 October 2004 - 09:12 PM

Thanks...here is the scan from the updated program.

Logfile of HijackThis v1.98.2
Scan saved at 10:08:13 PM, on 10/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HJthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BridgeDeCor] BridgeDeCor.exe
O4 - HKLM\..\Run: [SMA Utility] idsetnwa.exe /R
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098218010444
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\Software\..\Telephony: DomainName = hollingsworthgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com

#4 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:33 AM

Posted 19 October 2004 - 11:51 PM

Printing this may help you

As you have a variety of issues, I suggest you proceed as follows:
Download the latest version of CWShredder http://www.bleepingcomputer.com/files/cwshredder.phpby Merijn Bellekom, the creator of Hijack This. Check for updates!! If it is version 1.59.1 that is ok.

Run it, press 'Fix', and allow it to fix all it finds.

Download Spybot - Search & Destroy Here

After installing, you MUST first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot clean all the items marked in red.

Next;

Now download Ad-Aware SE Here
After installing AAW, and before running the program, you NEED to FIRST check for updates.

Reconfigure Ad-Aware SE for a custom scan:

Launch the program, and click on the Gear at the top of the start screen.

Under "General Settings" all available options should be selected.

Click the "Scanning" button.
Under "Drives, Folders and Files," select "Scan within Archives".
Click "Drives and folders to scan" and select your installed hard drives.
Under "Memory & Registry," select all options.

Click the "Advanced" button.
Under "Logfile detail level," select all options.

Click the "Defaults" button.
If you want to keep your current settings for your homepage and searchpage,
select "Read current settings from system." Otherwise, Ad-aware will reset them.

Click the "Tweak" button.
Under "Scanning Engine," select the following:
"Unload recognized processes during scanning."
Under "Cleaning Engine," select the following:
"Always try to unload modules before deletion."
"During removal unload Explorer and IE if necessary."
"Let Windows remove files in use after reboot."
Click on "Proceed" to save these Preferences.

Run the Ad-Aware scan, making sure that the mode selected is "Use custom scanning options."

When the scan is finished, the screen will tell you if anything has been found, click "Next." The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?" Reboot when finished.

When you've done all that, re-run Hijack This, and show me a fresh log.

There may be more to do!

#5 ttoztr1

ttoztr1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 20 October 2004 - 01:32 AM

Ok...done with that.

The problem still exists. Here is the next log...


Logfile of HijackThis v1.98.2
Scan saved at 2:28:26 AM, on 10/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\BridgeDeCor.exe
C:\WINDOWS\System32\idsetnwa.exe
C:\WINDOWS\iau.exe
C:\WINDOWS\System32\winplcman.exe
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HJthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BridgeDeCor] BridgeDeCor.exe
O4 - HKLM\..\Run: [SMA Utility] idsetnwa.exe /R
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098218010444
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\Software\..\Telephony: DomainName = hollingsworthgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com


Thank you for the help

#6 CalamityKen

CalamityKen

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Location:Whitby. Ont.
  • Local time:08:33 PM

Posted 20 October 2004 - 02:14 AM

ttoztr1, the system has several problems.

The system has Win32.Small.bj trojan
http://www.antiviraldp.com/virus_list/list_11.htm

Please read:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=6546

Install Windows Service Pack 2 and ALL Criticall Updates.

#7 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:33 AM

Posted 20 October 2004 - 02:27 AM

Yes, we have more to do. Please do this now:

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz

O4 - HKLM\..\Run: [SMA Utility] idsetnwa.exe /R

O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe

O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe

O4 - HKLM\..\Run: [Games Acceleration] svshost.exe

O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe

O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe

O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe

O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe

O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe

O4 - HKCU\..\Run: [Games Acceleration] svshost.exe

O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe

O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe

O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <<These items are considered to be resource hogs that are not needed and it may be worthwhile to fix them with HJT. You will still be able to start them manually if you need them...

Restart your computer in
Safe Mode Also make sure you show hidden and system files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,

C:\WINDOWS\System32\idsetnwa.exe
C:\WINDOWS\iau.exe
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe

Reboot in Normal Mode, then post a fresh logfile so that I can check to see if it is clean.

#8 ttoztr1

ttoztr1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 20 October 2004 - 01:30 PM

Done...here is the next log. I still have the Lan settings (in Internet Exlporer uner Tools/Connections) changing themselves back to "Proxy Sever"

Logfile of HijackThis v1.98.2
Scan saved at 2:27:05 PM, on 10/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\BridgeDeCor.exe
C:\WINDOWS\System32\winplcman.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HJthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BridgeDeCor] BridgeDeCor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098218010444
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\Software\..\Telephony: DomainName = hollingsworthgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com

#9 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:33 AM

Posted 20 October 2004 - 01:36 PM

Ok, fix these 2 lines:

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local


Reboot in Normal Mode, then post a fresh logfile so that I can check to see if it is clean.

#10 ttoztr1

ttoztr1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 20 October 2004 - 01:44 PM

I did that and it looks like everything came back now.

Logfile of HijackThis v1.98.2
Scan saved at 2:43:16 PM, on 10/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\BridgeDeCor.exe
C:\WINDOWS\System32\winplcman.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\iau.exe
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HJthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BridgeDeCor] BridgeDeCor.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098218010444
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\Software\..\Telephony: DomainName = hollingsworthgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com

#11 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:33 AM

Posted 20 October 2004 - 02:59 PM

How many users on this System?

#12 ttoztr1

ttoztr1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 20 October 2004 - 03:32 PM

Just myself...I am usually logged in as the administrator, however I do have a seperate account on the laptop where I check my email.

#13 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:33 AM

Posted 20 October 2004 - 04:11 PM

Ok, as the administrator do this:

Restart your computer in
Safe Mode

Run CWShredder again, press 'fix' not scan, allow it to fix all it finds. If you don't have it, do this:

Download the latest version of CWShredder http://www.bleepingcomputer.com/files/cwshredder.phpby Merijn Bellekom, the creator of Hijack This. Check for updates!! If it is version 1.59.1 that is ok.

Run it, press 'Fix', and allow it to fix all it finds.

Next:

Go, CTRL>SHIFT>ESC>Processes Tab>"End Process" on;

iau.exe
stisvsq.exe
svshost.exe
msqdevl.exe
lssas.exe
mservice.exe


Next:

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe

O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe

O4 - HKLM\..\Run: [Games Acceleration] svshost.exe

O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe

O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe

O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe

O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe

O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe

O4 - HKCU\..\Run: [Games Acceleration] svshost.exe

O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe

O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe

O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe

Also make sure you show hidden and system files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,

C:\WINDOWS\iau.exe
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe

Reboot in Normal Mode, then post a fresh logfile so that I can check to see if it is clean.

#14 ttoztr1

ttoztr1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 20 October 2004 - 07:16 PM

Logfile of HijackThis v1.98.2
Scan saved at 8:09:44 PM, on 10/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\BridgeDeCor.exe
C:\WINDOWS\System32\winplcman.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\userinit.exe
C:\Documents and Settings\Administrator\Desktop\HJthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BridgeDeCor] BridgeDeCor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://*.windowsupdate.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\Software\..\Telephony: DomainName = hollingsworthgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hollingsworthgroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hollingsworthgroup.com

#15 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:33 AM

Posted 21 October 2004 - 03:18 AM

Ok, before we go any further, do you use a proxy? as I see they are still there. Also, do you know of this BridgeDeCor.exe do you use an ethernet homeplug bridge?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users