Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijackthislog: please diagnose


  • Please log in to reply
7 replies to this topic

#1 gavstrabane

gavstrabane

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 21 October 2004 - 12:57 PM

Logfile of HijackThis v1.98.2
Scan saved at 18:41:17, on 21/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\AFKJFCCX\cmb_260933[1].exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\User\Desktop\hijackthis[1]\HijackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe

R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rundlg32.dll
F2 - REG:system.ini: UserInit=Userinit.exe,_huytam_
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rundlg32.dll
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098016101376
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gba897.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gba897.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E2CE62A-C333-42EF-96C3-77327AF81156}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E2CE62A-C333-42EF-96C3-77327AF81156}: NameServer = 194.168.4.100 194.168.8.100

:thumbsup:

BC AdBot (Login to Remove)

 


#2 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:57 AM

Posted 22 October 2004 - 03:36 AM

Hi,

Having a look.

#3 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:57 AM

Posted 22 October 2004 - 03:52 AM

Go to Add/Remove Programs, remove any instance of;

Web_Rebates
BullsEye Network


Next:

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rundlg32.dll

F2 - REG:system.ini: UserInit=Userinit.exe,_huytam_

O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rundlg32.dll

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gba897.exe

O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gba897.exe

Restart your computer in
Safe Mode Also make sure you show hidden and system files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,

C:\Program Files\BullsEye Network<<Folder
C:\Program Files\Web_Rebates<<Folder
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\AFKJFCCX<<Folder
C:\WINDOWS\Downloaded Program Files\CONFLICT.1<<Folder

Reboot in Normal Mode, then post a fresh logfile so that I can check to see if it is clean.

#4 gavstrabane

gavstrabane
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 28 October 2004 - 08:35 AM

thanks for help so far!!! here is new log:
Logfile of HijackThis v1.98.2
Scan saved at 14:34:52, on 28/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Win Comm\WinComm.exe
C:\temp\msbb.exe
C:\WINDOWS\logon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Win Comm\WinLock.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\hijackthis[1]\HijackThis.exe

F2 - REG:system.ini: UserInit=Userinit.exe,
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [krwhczon] C:\WINDOWS\krwhczon.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...1ca425ac8dc57f1
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098016101376
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/v50245...layer5AxWin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E2CE62A-C333-42EF-96C3-77327AF81156}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E2CE62A-C333-42EF-96C3-77327AF81156}: NameServer = 194.168.4.100 194.168.8.100

#5 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:57 AM

Posted 28 October 2004 - 09:10 AM

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe

O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe

O4 - HKLM\..\Run: [krwhczon] C:\WINDOWS\krwhczon.exe

O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - 5ce7b707a7b014608146bf64c11c4ac2bb2385:2cd78e84a3b908ce71ca425ac8dc57f1" target=_blankhttp://public.windupdates.com/get_file.php...1ca425ac8dc57f1

Restart your computer in
Safe Mode Also make sure you show hidden and system files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,

C:\Program Files\Win Comm<<Folder
C:\temp\msbb.exe
C:\WINDOWS\logon.exe
C:\WINDOWS\krwhczon.exe

Reboot in Normal Mode, then post a fresh logfile so that I can check to see if it is clean.

#6 gavstrabane

gavstrabane
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 29 October 2004 - 06:35 AM

Thanks for last reply.here is the latest log.That damn a-search.biz is still there but my computer is starting up faster.
Logfile of HijackThis v1.98.2
Scan saved at 12:32:38, on 29/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Win Comm\WinComm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Win Comm\WinLock.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\User\Desktop\hijackthis[1]\HijackThis.exe

F2 - REG:system.ini: UserInit=Userinit.exe,
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098016101376
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/v50245...layer5AxWin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E2CE62A-C333-42EF-96C3-77327AF81156}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E2CE62A-C333-42EF-96C3-77327AF81156}: NameServer = 194.168.4.100 194.168.8.100

#7 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:57 AM

Posted 29 October 2004 - 09:10 AM

Go CTRL>SHIFT>ESC>Processes Tab>"End Process" on

WinComm.exe
WinLock.exe


Next:

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe

Restart your computer in
Safe Mode Also make sure you show hidden and system files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,

C:\Program Files\Win Comm<<Folder

Reboot in Normal Mode, then post a fresh logfile so that I can check to see if it is clean.

#8 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:57 AM

Posted 01 November 2004 - 01:36 PM

Having just been given a heads up on this new infection, please do this:

Download KillBox. Extract it from the zip file then double-click on Killbox.exe to run it.

You will need to killbox both of these files and then reboot:

c:\windows\system32\_huytam_.exe
c:\windows\system32\_huytam_.dll

Add the exe first In the 'Paste Full Path of File to Delete' box but do not reboot. Then add the .dll to killbox and then let it reboot.

Post a fresh log when you have done that.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users