Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Urgant


  • This topic is locked This topic is locked
4 replies to this topic

#1 oOoxashiexoOo

oOoxashiexoOo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 31 December 2005 - 11:12 PM

my computer is completely freezing and will not let me do a thing. it is covered with spyware, and it will not let me use spyware search and destroy or anything i have. i have a fire wall, which catches and removes most viruses, but i think most get through. I ran chkdsk which got rid of a few also. Heres my hijak log. if you find anything i can delete, please let me know. thank you so much!

Logfile of HijackThis v1.99.1
Scan saved at 11:08:28 PM, on 12/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\lo31.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\ItBill\itbill.exe
C:\Program Files\Messenger\msmsgs.exe
c:\windows\system32\norml\palsp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\AIM\aim.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\miunst_.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R3 - URLSearchHook: (no name) - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [strtas] lo31.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [LonPS2] c:\windows\system32\norml\repcale.exe c:\windows\system32\norml\palsp.exe
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [Notification Utility] "C:\Program Files\ItBill\itbill.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\RunServices: [strtas] lo31.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [atiupdate] C:\DOCUME~1\Owner\LOCALS~1\Temp\msshed32.exe
O4 - HKCU\..\Run: [_Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - HKCU\..\Run: [strtas] lo31.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/ht...ALStreaming.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134937708343
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?325
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:10:19 PM

Posted 08 January 2006 - 09:29 AM

Posted Image

Welcome to the forum. I am checking your log now and will return as soon as I have researched all the items.

While we are working together, please ....
  • Reply to this thread. Do not start a new topic.
  • If you are unsure of what to do, stop and ask! Don't keep going on.
  • Be patient. HijackThis logs take some time to research.
Please note the following:
  • I will be working on your Malware issues: This may or may not, solve other issues you may have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine is clear. (Absence of symptoms does not mean that everything is clear.)
  • The process may take considerable time.

Mat2



Posted Image

#3 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:10:19 PM

Posted 08 January 2006 - 10:38 AM

Hi & Welcome to the forum.

i have a fire wall, which catches and removes most viruses, but i think most get through. I ran chkdsk which got rid of a few also.


Software Firewalls

Most people have heard about computer hacking. So ..........

Are you running a firewall on your machine? You should be! Without any firewall protection, you are at a much higher risk of being attacked/cracked through the internet. Example: Windows, by default, allows connections on port 135/139. If I know your IP address I can easily get a list of users on your machine through that connection. If any of them are using weak passwords, it will take less than a few hours to crack, and then I will have full access as that user. The blaster worm and the welchia worm connected through ports 135 and 139 as well. When you run a firewall, it hides your computer online such that it only shows itself when you initiate a connection. If you aren't running any servers, this is what you want, as hackers can't see or access your computer.

Also have a look here about firewalls

Anti Virus

Most people know of computer viruses. You should always have an anti-virus system running. It should have updated virus signature files downloaded daily for broadband and weekly for dialup connections. You should not have more than one anti-virus system active at any one time.
Many of you have probably heard of the recent viruses that caused havoc on the internet: Blaster, Welchia, Slammer, CodeRed, Nimda, and, most recently, Swen. While these can cause damage to your computer if you get infected, there are some simple steps you can take to greatly reduce your chances of infection.

First: what is a virus and how does one get infected?

A virus, much like the medical term, is a bit of software code that is self replicating. It need not do anything harmful or malicious, it just needs to reproduce itself. Some viruses attach themselves to the first sectors of Floppy disks, which is automatically read when you open a floppy. Most these days come through the internet. A virus is unique in that it infects other files, and then gets passed along with them, much like a virus infects a cell in your body. A virus doesn't necessarily need a security hole to work- as you can be the one who starts it spreading. There are different types of viruses, named after the different ways in which they operate and which files they infect. All operate in a similar manner.

Another common malicious program, often labeled a virus by the mass media, is a worm. The difference between worms and viruses is subtle, but a good description is this: worms tend to break into computers and focus on spreading themselves to other computers as rapidly as possible. Viruses tend to sneak in, while worms tend to force their way in. Worms often work their way into a computer without any user action necessary. Thus, Blaster is technically termed a Worm, as it broke into computers through a hole in Windows and ran itself and spread to other computers automatically.

What is believed is the most common malicious code is what is termed a 'Trojan Horse'. Much like the legend, a computer trojan is a program that pretends to be one thing but is actually another, tricking the user into running it. Note that a trojan is harmless until you open it; it can't infect you automatically. Many trojans open back doors to your computer so that crackers can get into your system and use it for various things, like sending spam across the internet.

Note that the types of program aren't defined by what sort of damage they do, but by how they infect computers and how they spread. One type is not intrinsically worse than another, and all of them can do things such as delete all of your files, pop up annoying messages, or make your computer run more slowly.

So, you might be asking- how can I protect myself?

1) Run an Antivirus program, and keep it up to date!
Several companies produce anti virus products. While some are getting better at detecting new viruses automatically, they aren't truly effective until the data file that stores information about known viruses includes the virus to protect against. Thus, it is imperative that you update your 'virus definitions' often, and immediately after a major virus/worm/trojan is released.

Text Courtesy of ChrisRLG

Also i recommend you install a antivirus program,such as Avast Antivirus , click on the link, it wil provide you with all the info and download link for the program

CHKDSK, only scans for problems with your hard drive, for example checking for any bad sectors. Unfortunatly does not check for any form of malwere/ Spyware.

===============

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

===============

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the "Backups" folder, for HiJackThis, if present.

===============

The next job you need to is run an online scan from Trend HouseCall

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

===============

Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

lo31.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

CME II
GMT, GAIN or GATOR

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Next, Open a command prompt by:

1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).

Now, locate and 'stop' the following services, if present:

strtas ... (lo31.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\System32\lo31.exe
C:\Program Files\ItBill\itbill.exe
c:\windows\system32\norml\palsp.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

R3 - URLSearchHook: (no name) - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [strtas] lo31.exe
O4 - HKLM\..\Run: [LonPS2] c:\windows\system32\norml\repcale.exe c:\windows\system32\norml\palsp.exe
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [Notification Utility] "C:\Program Files\ItBill\itbill.exe"
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\RunServices: [strtas] lo31.exe
O4 - HKCU\..\Run: [atiupdate] C:\DOCUME~1\Owner\LOCALS~1\Temp\msshed32.exe
O4 - HKCU\..\Run: [_Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - HKCU\..\Run: [strtas] lo31.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

O15 - Trusted Zone: http://www.neededware.com

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

1. Restart your computer. As your computer restarts, repeatedly press the F8 key on your keyboard until the Windows Advanced Options menu appears.
2. Use the arrow key to select Safe Mode, and then press ENTER.
3. Use an arrow key to select an operating system and press ENTER.
4. When prompted whether you want your Windows to run in safe mode, click Yes.

===============

Next you need to show all the system files/folders, as follows

To enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the "Tools" menu.
  • Click "Folder Options".
  • After the new window appears, select the "View" tab.
  • Put a checkmark in the checkbox labeled "Display the contents of system folders."
  • Under the "Hidden files and folders" section, select the button labeled "Show hidden files and folders".
  • Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
  • Remove the checkmark from the checkbox labeled "Hide protected operating system files".
  • Press the Apply button.
  • Press the "OK" button
  • Close "My Computer".
==============

Using Windows Explorer. Locate and delete the following item(s), if present.

folders...

C:\Program Files\ItBill
c:\windows\system32\norml
C:\Program Files\p2pnetworks
C:\Program Files\Common Files\CMEII
C:\WINDOWS\WinSecurity
C:\Program Files\Common Files\GMT
C:\Program Files\PrecisionTime

files...

C:\WINDOWS\System32\lo31.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\msshed32.exe

Search for...

lo31.exe

...using "Start | Search...".

===============

Restart Windows back into normal mode. Post back a new log, and let me know how everything goes. Thanks
Mat2



Posted Image

#4 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:10:19 PM

Posted 20 January 2006 - 05:45 PM

Hi

I am contacting you to see if you still require the help, as i have not heard anything from you. I appreciate you may have been busy.

If you do still need help, please can you Copy/Paste a new HJT Log, back here in this thread.


Do Not Start a New Topic


Regards
Mat2



Posted Image

#5 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:10:19 PM

Posted 30 January 2006 - 05:40 AM

Due to lack of response from the poster, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Mat2



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users