Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hostx.exe and Host.exe virus


  • Please log in to reply
6 replies to this topic

#1 swanza26

swanza26

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 10 November 2004 - 02:05 AM

I have the hostx.exe/host.exe virus. Can someone help me get rid of it?

Logfile of HijackThis v1.98.2
Scan saved at 2:04:00 AM, on 11/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\ESSD.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\PROGRA~1\Compaq\EASYAC~1\EAUSBKBD.EXE
C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINNT\inf\abrmc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Kristin Swana\My Documents\download\swanza26\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://students.uconn.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.allcybersearch.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: s.com
O1 - Hosts: s.com
O1 - Hosts: s.com
O1 - Hosts: s.com
O1 - Hosts: ns.com
O1 - Hosts: ns.com
O1 - Hosts: ons.com
O1 - Hosts: ons.com
O1 - Hosts: ions.com
O1 - Hosts: ions.com
O1 - Hosts: tions.com
O1 - Hosts: tions.com
O1 - Hosts: utions.com
O1 - Hosts: utions.com
O1 - Hosts: utions.com
O1 - Hosts: utions.com
O1 - Hosts: lutions.com
O1 - Hosts: lutions.com
O1 - Hosts: olutions.com
O1 - Hosts: olutions.com
O1 - Hosts: olutions.com
O1 - Hosts: olutions.com
O1 - Hosts: solutions.com
O1 - Hosts: solutions.com
O1 - Hosts: 0solutions.com
O1 - Hosts: 0solutions.com
O1 - Hosts: 80solutions.com
O1 - Hosts: 80solutions.com
O1 - Hosts: 180solutions.com
O1 - Hosts: 180solutions.com
O1 - Hosts: .180solutions.com
O1 - Hosts: .180solutions.com
O1 - Hosts: v.180solutions.com
O1 - Hosts: v.180solutions.com
O1 - Hosts: ope.com
O1 - Hosts: herscope.com
O1 - Hosts: atherscope.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\3pmsii.dat
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\3pmsii.dat
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\3pmsii.dat
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\3pmsii.dat
O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\cmrba.dat
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\3pmsii.dat
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ESS Daemon] C:\WINNT\ESSD.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Eac_Download] C:\PROGRA~1\COMMON~1\EACCEL~1\download.exe -k
O4 - HKLM\..\Run: [ausvc] C:\WINNT\ausvc.exe
O4 - HKLM\..\Run: [SysScan] C:\WINNT\bvt.exe
O4 - HKLM\..\Run: [ABsr] C:\WINNT\absr.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [iismp3] C:\WINNT\ServicePackFiles\iismp3.exe
O4 - HKLM\..\Run: [*iismp3] C:\WINNT\ServicePackFiles\iismp3.exe
O4 - HKLM\..\Run: [*svcsrv] C:\WINNT\Speech\svcsrv.exe
O4 - HKLM\..\Run: [*wpc] C:\WINNT\ServicePackFiles\wpc.exe
O4 - HKLM\..\Run: [*libmp3] C:\WINNT\Driver Cache\libmp3.exe
O4 - HKLM\..\Run: [*apexp] C:\WINNT\Web\apexp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [*pcinet] C:\WINNT\addins\pcinet.exe
O4 - HKLM\..\Run: [*mfcdll] C:\WINNT\AppPatch\mfcdll.exe
O4 - HKLM\..\Run: [*hardurl] C:\WINNT\system\hardurl.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [*abrmc] C:\WINNT\inf\abrmc.exe
O4 - HKLM\..\RunOnce: [*abrmc] C:\WINNT\inf\abrmc.exe rerun
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\RunOnce: [*WinLogon] C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\bkinst.exe ren time:1100064510
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra 'Tools' menuitem: IMI - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\PLUGINS\Npcdn32.dll
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.44/0464fe01d67bde9f3801/netzip/RdxIE.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/31d2bfd4fc914aaf8500/netzip/RdxIE6.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstaller.cab
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)

Edited by swanza26, 10 November 2004 - 02:06 AM.


BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:12:49 AM

Posted 10 November 2004 - 02:26 AM

Hi, swanza26, and good job on the prompt updating of your HJT version. I saw your log, at first glance I see about 50 bad entries. I'm training at this and it's been a long day. If no response by an HJT Team member, in the morning when I rise, I'll be more than happy to help. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#3 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:10:49 AM

Posted 10 November 2004 - 04:35 AM

OK i can take this..

since this is now an old log i need you to post a fresh one!

IMPORTANT:after posting the log DO NOT RESTART your computer until you get a response from me
the filenames and paths will change at every reboot, making the log( and the fix) useless
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#4 swanza26

swanza26
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 10 November 2004 - 07:33 AM

I restarted my computer before you posted that. Sorry, I didn't know. Here is my new Hijack.
Logfile of HijackThis v1.98.2
Scan saved at 7:33:46 AM, on 11/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\ESSD.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Compaq\EASYAC~1\EAUSBKBD.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINNT\inf\abrmc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM95\aim.exe
C:\Documents and Settings\Kristin Swana\My Documents\download\swanza26\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://students.uconn.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.allcybersearch.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: s.com
O1 - Hosts: s.com
O1 - Hosts: s.com
O1 - Hosts: s.com
O1 - Hosts: ns.com
O1 - Hosts: ns.com
O1 - Hosts: ons.com
O1 - Hosts: ons.com
O1 - Hosts: ions.com
O1 - Hosts: ions.com
O1 - Hosts: tions.com
O1 - Hosts: tions.com
O1 - Hosts: utions.com
O1 - Hosts: utions.com
O1 - Hosts: utions.com
O1 - Hosts: utions.com
O1 - Hosts: lutions.com
O1 - Hosts: lutions.com
O1 - Hosts: olutions.com
O1 - Hosts: olutions.com
O1 - Hosts: olutions.com
O1 - Hosts: olutions.com
O1 - Hosts: solutions.com
O1 - Hosts: solutions.com
O1 - Hosts: 0solutions.com
O1 - Hosts: 0solutions.com
O1 - Hosts: 80solutions.com
O1 - Hosts: 80solutions.com
O1 - Hosts: 180solutions.com
O1 - Hosts: 180solutions.com
O1 - Hosts: .180solutions.com
O1 - Hosts: .180solutions.com
O1 - Hosts: v.180solutions.com
O1 - Hosts: v.180solutions.com
O1 - Hosts: ope.com
O1 - Hosts: herscope.com
O1 - Hosts: atherscope.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\3pmsii.dat
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\3pmsii.dat
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\3pmsii.dat
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\3pmsii.dat
O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\cmrba.dat
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\3pmsii.dat
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ESS Daemon] C:\WINNT\ESSD.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Eac_Download] C:\PROGRA~1\COMMON~1\EACCEL~1\download.exe -k
O4 - HKLM\..\Run: [ausvc] C:\WINNT\ausvc.exe
O4 - HKLM\..\Run: [SysScan] C:\WINNT\bvt.exe
O4 - HKLM\..\Run: [ABsr] C:\WINNT\absr.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [iismp3] C:\WINNT\ServicePackFiles\iismp3.exe
O4 - HKLM\..\Run: [*iismp3] C:\WINNT\ServicePackFiles\iismp3.exe
O4 - HKLM\..\Run: [*svcsrv] C:\WINNT\Speech\svcsrv.exe
O4 - HKLM\..\Run: [*wpc] C:\WINNT\ServicePackFiles\wpc.exe
O4 - HKLM\..\Run: [*libmp3] C:\WINNT\Driver Cache\libmp3.exe
O4 - HKLM\..\Run: [*apexp] C:\WINNT\Web\apexp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [*pcinet] C:\WINNT\addins\pcinet.exe
O4 - HKLM\..\Run: [*mfcdll] C:\WINNT\AppPatch\mfcdll.exe
O4 - HKLM\..\Run: [*hardurl] C:\WINNT\system\hardurl.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [*abrmc] C:\WINNT\inf\abrmc.exe
O4 - HKLM\..\RunOnce: [*abrmc] C:\WINNT\inf\abrmc.exe rerun
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINNT\repair\expbin.exe ren time:1100064510
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra 'Tools' menuitem: IMI - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\PLUGINS\Npcdn32.dll
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.44/0464fe01d67bde9f3801/netzip/RdxIE.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/31d2bfd4fc914aaf8500/netzip/RdxIE6.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstaller.cab
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)

#5 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:10:49 AM

Posted 10 November 2004 - 08:39 AM

hi

ok here is the fix:

Click on this link http://www.downloads.subratam.org/KillBox.zip to download TheKillbox by Option^Explicit. Extract it from the zip file but don't run it yet.

Go Offline to prevent this infection from 'calling home',
physically disconnect the machine

DO NOT reboot until you have done all of the items below or until prompted by killbox. If a file is not there, skip on to the next one.

Please Print these instructions, you will not be able to access this page in safe mode.

1)Enable
'show all files'

2)Click Start
Run
Type in regedit
Click OK or Enter

Navigate to, and delete if found (in the left pane of Registry Editor) :
HKEY_CURRENT_USER\Software\Microsoft\WindowsUpd
HKEY_CURRENT_USER\Software\Microsoft\SysUpd

Close Registry Editor

If for some reason this does not work or is not permitted, do it as soon as you go into safe mode.

3)Now double-click on Killbox.exe to run it. In the drop down menu next to the yellow triangle scroll until you see
C:\WINNT\inf\abrmc.exe and select it. Click the yellow triangle and click yes that you want to end task.
In the 'Paste Full Path of File to Delete' box, copy and paste this entry:
C:\WINNT\inf\abrmc.exe


Next, click on the Action menu and choose "Delete on Reboot". Click the button with the red circle with a
white X in it. Close killbox.

4)As the machine boots back up from the killbox part of this fix boot into safe mode by tapping F8 at boot, then use the up/down arrows to select safe mode

Run the Registry Edit here, if it didn't work in Normal Mode

Open the hijackthis control panel, but don't scan yet.
Click Config, then Misc Tools, then Open Process Manager.
Scroll down the list of running processes and see if color=green]C:\WINNT\inf\abrmc.exe is there.
If it is, highlight it and click kill process.
Do the same for C:\WINNT\repair\expbin.exe

If they aren't listed in running processes, that's fine.

5) On the start page of hijackthis, run a new scan and checkmark/fix the following lines:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.allcybersearch.com/ie/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost

R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: s.com
O1 - Hosts: s.com
O1 - Hosts: s.com
O1 - Hosts: s.com
O1 - Hosts: ns.com
O1 - Hosts: ns.com
O1 - Hosts: ons.com
O1 - Hosts: ons.com
O1 - Hosts: ions.com
O1 - Hosts: ions.com
O1 - Hosts: tions.com
O1 - Hosts: tions.com
O1 - Hosts: utions.com
O1 - Hosts: utions.com
O1 - Hosts: utions.com
O1 - Hosts: utions.com
O1 - Hosts: lutions.com
O1 - Hosts: lutions.com
O1 - Hosts: olutions.com
O1 - Hosts: olutions.com
O1 - Hosts: olutions.com
O1 - Hosts: olutions.com
O1 - Hosts: solutions.com
O1 - Hosts: solutions.com
O1 - Hosts: 0solutions.com
O1 - Hosts: 0solutions.com
O1 - Hosts: 80solutions.com
O1 - Hosts: 80solutions.com
O1 - Hosts: 180solutions.com
O1 - Hosts: 180solutions.com
O1 - Hosts: .180solutions.com
O1 - Hosts: .180solutions.com
O1 - Hosts: v.180solutions.com
O1 - Hosts: v.180solutions.com
O1 - Hosts: ope.com
O1 - Hosts: herscope.com
O1 - Hosts: atherscope.com

O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\3pmsii.dat

O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\3pmsii.dat

O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\3pmsii.dat

O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\3pmsii.dat

O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\cmrba.dat

O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\3pmsii.dat

O4 - HKLM\..\Run: [ausvc] C:\WINNT\ausvc.exe

O4 - HKLM\..\Run: [SysScan] C:\WINNT\bvt.exe

O4 - HKLM\..\Run: [ABsr] C:\WINNT\absr.exe

O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE

O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O4 - HKLM\..\Run: [iismp3] C:\WINNT\ServicePackFiles\iismp3.exe

O4 - HKLM\..\Run: [*iismp3] C:\WINNT\ServicePackFiles\iismp3.exe

O4 - HKLM\..\Run: [*svcsrv] C:\WINNT\Speech\svcsrv.exe

O4 - HKLM\..\Run: [*wpc] C:\WINNT\ServicePackFiles\wpc.exe

O4 - HKLM\..\Run: [*libmp3] C:\WINNT\Driver Cache\libmp3.exe

O4 - HKLM\..\Run: [*apexp] C:\WINNT\Web\apexp.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [*pcinet] C:\WINNT\addins\pcinet.exe

O4 - HKLM\..\Run: [*mfcdll] C:\WINNT\AppPatch\mfcdll.exe

O4 - HKLM\..\Run: [*hardurl] C:\WINNT\system\hardurl.exe

O4 - HKLM\..\Run: [*abrmc] C:\WINNT\inf\abrmc.exe

O4 - HKLM\..\RunOnce: [*abrmc] C:\WINNT\inf\abrmc.exe rerun

O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINNT\repair\expbin.exe ren time:1100064510

O4 - Startup: PowerReg Scheduler.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.44/0464fe01d67bde9f3801/netzip/RdxIE.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/31d2bfd4fc914aaf8500/netzip/RdxIE6.cab

O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) -
http://download.buddylinks.net/ShellInstaller.cab

O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)



6)Delete the following files if they are still there:
If you do not know how to manually delete a file or folder, please ASK before attempting this fix
Use the Windows Search Function to locate and delete all instances of


C:\Program Files\AWS~delete the entire folder

C:\program files\partypoker~delete the entire folder

PowerReg Scheduler.exe

C:\WINNT\repair\expbin.exe

C:\WINNT\inf\abrmc.exe

C:\WINNT\system\hardurl.exe

C:\WINNT\AppPatch\mfcdll.exe

C:\WINNT\addins\pcinet.exe

C:\WINNT\Web\apexp.exe

C:\WINNT\Driver Cache\libmp3.exe

C:\WINNT\ServicePackFiles\wpc.exe

C:\WINNT\ServicePackFiles\iismp3.exe

C:\WINNT\Speech\svcsrv.exe

C:\WINNT\sysupd.exe

C:\WINNT\absr.exe

C:\WINNT\bvt.exe

C:\WINNT\ausvc.exe

C:\WINNT\system32\hostx.exe

C:\PROGRA~1\INCRED~1~delete the entire folder


7)Empty your Temp folders as follows:
Open Internet Explorer. You'll get a Page not Found error, but that's normal in safe mode.
At the top, click Tools>Internet Options> and then, in the center click Delete Cookies
Click Delete Files and then in the new applet check the box for all offline content
Click OK
Close that applet and open the C>Windows>Temp folder, and delete all files in there too, and all files in sub-folders of Temp.
Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty
Double check to see if the folder C:\DOCUMENTSandSETTINGS\KRISTI~1\LOCALSETTINGS\Temp is empty.
Empty your recyle bin

then head over to panda active scan
to do an online scan. let it auto clean your computer


8)Reboot back into normal Windows and post a fresh log.
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#6 swanza26

swanza26
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 10 November 2004 - 10:41 AM

new log
Logfile of HijackThis v1.98.2
Scan saved at 10:41:39 AM, on 11/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\ESSD.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\PROGRA~1\Compaq\EASYAC~1\EAUSBKBD.EXE
C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kristin Swana\My Documents\download\swanza26\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://students.uconn.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ESS Daemon] C:\WINNT\ESSD.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Eac_Download] C:\PROGRA~1\COMMON~1\EACCEL~1\download.exe -k
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra 'Tools' menuitem: IMI - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\PLUGINS\Npcdn32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx

#7 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:10:49 AM

Posted 11 November 2004 - 07:01 AM

hi

well, what can i say.. except
GREAT WORK!!!

log looks clean now :thumbsup:

since the nasty did things to your hosts file
we can fix it using info&tools here:
http://software.brown.edu/dist/w-restorehosts.html

then download a good hosts file from here( instructions included )
http://www.mvps.org/winhelp2002/hosts.htm


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

cheers and greetings from finland !
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users