Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjk log, please help


  • This topic is locked This topic is locked
1 reply to this topic

#1 Brigh

Brigh

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 28 November 2004 - 02:56 PM

Logfile of HijackThis v1.97.7
Scan saved at 2:59:11 PM, on 11/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
G:\PROGRA~1\firefox.exe
G:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: msnmsgr.exe
O12 - Plugin for .aiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...c248e2dbf7775d2
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24fdc3af6dc8fa...ip/RdxIE601.cab
O16 - DPF: {611627F1-D9A5-4235-958E-618E483BF8E7} (AutoUploader Class) - http://www.splashbulb.com/uploader/lib/uploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.parispourvous.com/paris4you/act...sCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...B?38069.7946875
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mshome
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mshome
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mshome

I have no idea what any of this means, or where to even look to figure out if any of this needs to be removed. Can anyone help me?

Edited by Brigh, 28 November 2004 - 03:16 PM.


BC AdBot (Login to Remove)

 


m

#2 Brigh

Brigh
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 28 November 2004 - 06:45 PM

Also, I'm super-infected with BargainBuddy and the like...Blazefind, DiFuCa, 180Solutions, etc.

I've deleted all the related files with AdAware SE, but all of them are in my registry. Can anyone help me fix this?

AdAware SE Log

ArchiveData(auto-quarantine- 2004-11-28 15-58-58.bckp)
Referencefile : SE1R20 25.11.2004
======================================================

BARGAINBUDDY

obj[0]=Regkey : typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3}\1.0\helpdir
obj[1]=RegValue : typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3}\1.0\helpdir ""
obj[2]=Regkey : typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3}\1.0\flags
obj[3]=RegValue : typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3}\1.0\flags ""
obj[4]=Regkey : typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3}\1.0\0
obj[5]=Regkey : typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3}\1.0
obj[6]=RegValue : typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3}\1.0 ""
obj[7]=Regkey : typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3}
obj[8]=Regkey : interface\{c6906a23-4717-4e1f-b6fd-f06ebed15678}
obj[9]=RegValue : interface\{c6906a23-4717-4e1f-b6fd-f06ebed15678} ""
obj[10]=Regkey : interface\{8eee58d5-130e-4cbd-9c83-35a0564e5678}
obj[11]=RegValue : interface\{8eee58d5-130e-4cbd-9c83-35a0564e5678} ""
obj[12]=Regkey : clsid\{f4e04583-354e-4076-be7d-ed6a80fd66da}
obj[13]=RegValue : clsid\{f4e04583-354e-4076-be7d-ed6a80fd66da} ""
obj[14]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{f4e04583-354e-4076-be7d-ed6a80fd66da}
obj[15]=RegValue : software\microsoft\windows\currentversion\explorer\browser helper objects\{f4e04583-354e-4076-be7d-ed6a80fd66da} ""

BLAZEFIND

obj[16]=Regkey : winadctlx.installer
obj[17]=RegValue : winadctlx.installer ""
obj[18]=Regkey : software\classes\clsid\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6}
obj[24]=Regkey : CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
obj[25]=Regkey : Software\microsoft\windows\currentversion\moduleusage\C:/WINNT/Downloaded Program Files/WinAdCtlX.dll
obj[26]=RegValue : Software\microsoft\windows\currentversion\moduleusage\C:/WINNT/Downloaded Program Files/WinAdCtlX.dll ".Owner"
obj[27]=RegValue : Software\microsoft\windows\currentversion\moduleusage\C:/WINNT/Downloaded Program Files/WinAdCtlX.dll "{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
obj[28]=RegValue : Software\Microsoft\Windows\CurrentVersion\SharedDLLs "C:\WINNT\Downloaded Program Files\WinAdCtlX.dll"
obj[29]=File : c:\winnt\downloaded program files\winadctlx.dll
obj[30]=File : c:\/winnt/downloaded program files/winadctlx.dll

DYFUCA

obj[19]=Regkey : .DEFAULT\software\avenue media

WINDUPDATES

obj[20]=Regkey : software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6}
obj[21]=RegValue : software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6} "SystemComponent"
obj[22]=RegValue : software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6} "Installer"

ALEXA

obj[23]=RegValue : S-1-5-21-436374069-1563985344-839522115-1001\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"


I'm also having trouble with the Downloader-NH, which pops up only when I scan using AdAware, and not with my own virus scanner, which says I have no infected files.

Reformatting is not an option, please help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users