Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Diagnose


  • This topic is locked This topic is locked
7 replies to this topic

#1 bearjsb3

bearjsb3

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 27 March 2006 - 12:10 AM

Logfile of HijackThis v1.99.1
Scan saved at 11:00:54 PM, on 3/26/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\ecmliuaA.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\DOCUME~1\JASONS~1.BAR\LOCALS~1\Temp\Rar$EX00.857\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/en-us/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,smbqiew.exe
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.5000.1021\EN-US\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ecmliuaA] C:\WINDOWS\ecmliuaA.exe
O4 - HKLM\..\Run: [MotiveReportAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\BellSouthBrowser.exe" /hidden
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe"
O4 - Global Startup: PowerReg SchedulerV2.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: Dialpad Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webmasterex...artload464a.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O18 - Protocol: sashelploc - {9E6185F9-FFCD-11D1-830E-00A024BF297F} - blank (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\o4role931h.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: distributed.net client (dnetc) - Unknown owner - C:\WINDOWS\System32\iosdt\iosdt.exe (file missing)
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:49 AM

Posted 27 March 2006 - 03:33 AM

Hello bearjsb3, and welcome to BleepingComputer,

We'll try to help you out, just give us some time to study your log.

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:49 AM

Posted 27 March 2006 - 08:11 AM

Hello bearjsb3,

This is indeed a nasty log, so we can't deal with this all in once and several different steps are needed.

Hijackthis is still in your temp-folder, so I strongly advise to create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
To make a permanent folder:Click My Computer, then C:\ and then on Program Files.
In the menu bar, File > New > Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.
1. Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

2. Go to Start > Controlpanel > Software > Add/remove programs and uninstall next if present:ISTBar
3. Reboot afterwards!! Really important!

4. Download and save F-Secure Blacklight to your desktop.
Double-click blbeta.exe, then accept the agreement.
click > Scan, then > Next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

5. Please post the contents of Look2Me-Destroyer.txt and fsbl.xxxxxxx.log, present on your desktop,
and a new HijackThis log.

6. Could you also please post an Uninstaller List from HijackThis:Open HijackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Uninstall Manager"
Click on the button "Save list"
Copy and paste the List from the notebook onto your post
Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 bearjsb3

bearjsb3
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 27 March 2006 - 01:10 PM

Thank you for you help so far. Even after rebooting, Look2Me is not restarting after 1 minute. Even after a few minutes it does not restart. Suggestions?

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:49 AM

Posted 27 March 2006 - 03:26 PM

Hello bearjsb3,

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

Try again maybe? :thumbsup:

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 bearjsb3

bearjsb3
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 28 March 2006 - 09:38 AM

BMThor,

Thank you for your help. I decided it would be best for me to format my hard drive and reinstall windows. This has definitely removed the problems. Thanks again for your time and consideration.

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:49 AM

Posted 29 March 2006 - 02:57 AM

Hello bearjsb3,

Although drastic, that is of course another way to get rid of malware.
And thank you for letting me know. :thumbsup:

I couldn't help but notice that your previous protection was rather low. :flowers:
Nowadays it's really imperative to keep your operating system fully updated!


Below I have included some recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously ; these few simple steps can stave off the vast majority of spyware problems.

1. Please navigate to http://windowsupdate.microsoft.com/ on a regular basis and download all the "critical updates" for Windows,
including the latest version of Internet Explorer.
This can patch many of the security holes through which attackers can gain access to your computer.

2. It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log didn't show a firewall running..
Please check out, download and instal one of these excellent (and free) products: Sygate
Kerio
Tiny Personal Firewall
Outpost
It is important to note that you should only have one firewall installed at a time.
A tutorial on understanding and using firewalls may be found here.

3. In order to protect yourself better against spyware, you should consider installing and running some of the following free programs:Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

IE/Spyad
Places over 5000 dubious websites and domains in your IE's restricted zone.
Make sure to keep your antispyware programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

4. Please consider using an alternate browser. Mozilla's Firefox browser is very good and more secure than Internet Explorer, immune to almost all known browser hijackers, and also has a built-in popup blocker (as an added benefit!) . If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed
Hopefully this should take care of your problems! Good luck :huh:

BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:49 AM

Posted 30 March 2006 - 02:20 PM

Since your problem is solved, this topic will be closed.
If you need this topic reopened, please email the moderating team -
be sure to include the address of the thread and the name you posted under.


BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users