Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

this is my result,how to do netx step?


  • Please log in to reply
9 replies to this topic

#1 jeffyzy

jeffyzy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 18 November 2004 - 04:03 AM

Logfile of HijackThis v1.98.2
Scan saved at 4:28:00 PM, on 11/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\Program Files\Rising\Rav\RavMonD.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\htpatch.exe
C:\WINNT\System32\sistray.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Rising\Rav\RavTimer.exe
C:\Program Files\Rising\Rav\RavMon.exe
C:\Program Files\Rising\Rav\RavService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpyKiller\spykiller.exe
C:\Program Files\BestPopupKiller\BestPopupKiller.exe
C:\Documents and Settings\anand narain singh\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANANDN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANANDN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANANDN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANANDN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANANDN~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANANDN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {97B65AD7-DE3B-48FA-B222-3A6EC5D9E575} - C:\WINNT\system32\amo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RavTimer] C:\Program Files\Rising\Rav\RavTimer.exe
O4 - HKLM\..\Run: [RavMon] "C:\Program Files\Rising\Rav\RavMon.exe"
O4 - HKLM\..\Run: [RavService] C:\Program Files\Rising\Rav\RavService.exe
O4 - HKLM\..\RunServices: [RavMon] C:\Program Files\Rising\Rav\RavMon.exe /AUTO
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5DE2232-2D7A-459F-BF72-C17F4FCF37AF}: NameServer = 210.72.129.130,202.96.64.68
O18 - Filter: text/html - {69388FEE-9472-496E-9E9D-13E8522ED02D} - C:\WINNT\system32\amo.dll
O18 - Filter: text/plain - {69388FEE-9472-496E-9E9D-13E8522ED02D} - C:\WINNT\system32\amo.dll

Attached Files



BC AdBot (Login to Remove)

 


#2 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:15 AM

Posted 18 November 2004 - 06:21 AM

Greetings jeffyzy

Please download DllCompare (CWS HiddenDLLFinder) HERE

Launch the program and click the "Run Locate.com" button.
Then click the "Compare" button (this will take a little while)
When it finishes click the "Make Log" button.

Please copy and paste that log in this thread using the ADD/REPLY button.
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#3 jeffyzy

jeffyzy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 18 November 2004 - 08:52 AM

Indrid: nice to meet you!
Thank you very much for your help! I will do it according to your suggestion.
sincerely,
jeff

#4 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:15 AM

Posted 18 November 2004 - 09:45 AM

You are most welcome jeffyzy.

After following my previous instructions please create a new folder C:\HJT, or the like, and then move your copy of HijackThis to the new folder. It is important that you do this because HJT will create backups when we begin removing entries from the scan and we want them to be organized and easy to locate should they be required later.
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#5 jeffyzy

jeffyzy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 18 November 2004 - 08:08 PM

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :thumbsup:"
________________________________________________

1,737 items found: 1,737 files, 0 directories.
Total of file sizes: 260,856,919 bytes 248.77 M

Administrator Account = True

--------------------End log---------------------




this is my result after running DllCompare, and i just create a folder named after Hjt and copy Hijackthis

#6 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:15 AM

Posted 18 November 2004 - 09:50 PM

Nice job. Thank you.

Looking things over and I will be back with you soon.
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#7 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:15 AM

Posted 19 November 2004 - 02:45 AM

Please download this tool from Symantic

- Disconnect from the Internet and do not launch Internet Explorer or connect to the Internet until the end of this fix has been completed.

- Close all other applications

- Launch FxAgentB.exe

- Click "START" and let the scan finish.

- REBOOT to Safe Mode
As the computer is starting up, tap the F8 key continuously until you get the startup menu. Then choose Safe Mode.


- Reconfigure Windows Explorer to show Hidden Files:
*Open the Windows Explorer | Tools | Folder Options - View.
*Scroll down to the "Files and Folders" section.
*Select: "Display the contents of system folders".
*Scroll down to the "Hidden Files and Folders" section.
*Select: "Show hidden files and folders", Ok the prompt
*Uncheck: "Hide file extensions for known file types"
*Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply
*Click the "Apply to all Folders" button.

Please place a check for these entries in HijackThis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANANDN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANANDN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ANANDN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ANANDN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANANDN~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ANANDN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {97B65AD7-DE3B-48FA-B222-3A6EC5D9E575} - C:\WINNT\system32\amo.dll

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

O18 - Filter: text/html - {69388FEE-9472-496E-9E9D-13E8522ED02D} - C:\WINNT\system32\amo.dll
O18 - Filter: text/plain - {69388FEE-9472-496E-9E9D-13E8522ED02D} - C:\WINNT\system32\amo.dll


Please delete these Files and/or Folders noted in BOLD

C:\WINNT\system32\amo.dll<----this file
C:\Recycled<-----this folder



- To prevent a possible re-infection:
Please delete the contents in these folders (DO NOT delete The Folder themselves)

* C:\Windows\Temp\contents<-----<

* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ contents<-----<

* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\contents<-----<


* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\contents<-----<

* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\contents<-----<

* Empty your "Recycle Bin"

- REBOOT

- You may now connect to the Internet

You have SpyKiller installed
This is considered a rouge application by those in the security community. I would urge you to uninstall it. More info HERE

You have BestPopUpKiller installed.
This also has a dubious reputation and I would counsel you to uninstall it as well.

Please scan again with HijackThis and post a fresh log for futher review.
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#8 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:15 AM

Posted 19 November 2004 - 03:50 AM

jeffyzy

Please see revised instructions:

Original instruction:
C:\Recycled<-----this folder

Revised Instruction:
IGNORE!

Edited by Indrid_Cold, 19 November 2004 - 03:52 AM.

Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#9 jeffyzy

jeffyzy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 19 November 2004 - 04:21 AM

thank you, indrid
now that detected PC is ok, an expert has respired it. so i have no chance to exhibit your talent. but i am happy because i get a good friend indrid, who is from USA and is a computer talent. let us keep in touch!
yours,
jeff

#10 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:15 AM

Posted 19 November 2004 - 05:01 AM

Good news Jeff!

Feel free to post another HJT log here for one more look over just to be sure.
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users