Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log


  • This topic is locked This topic is locked
3 replies to this topic

#1 spagtscully

spagtscully

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:08:27 AM

Posted 07 July 2006 - 10:34 PM

I've been trying to fix my computer for the past three days. I've run every virus protection and adware program that was listed in the main topic post. The computer was rebooting whenever a virus scan or adware scan was run. I got that fixed up though. I managed to get a few other things fixed but one or two of the problems just keeps coming back. I have put both my HJT log and Pandascan log on here. Any help with this issue would be greatly appreciated. This problem is putting me near the edge of my sanity. :thumbsup:

Here's the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 5:45:36 PM, on 7/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Webshots\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\my documents D\programs\misc programs\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Get Flash by FlashKeeper - C:\Program Files\FlashKeeper\GetFlash.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125522066517
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141541192240
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1C62878-0583-405A-B652-4768CE3B2818}: NameServer = 208.39.158.2,64.56.37.246
O20 - Winlogon Notify: gatexkey - gatexkey.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: GridIron X-Factor After Effects Peer #1 (XFACTORAE1) - Unknown owner - C:\Program Files\XLR8\xlr8d.exe" --ae --pm 1 (file missing)
O23 - Service: GridIron XLR8 Peer Manager (XLR8) - Unknown owner - C:\Program Files\XLR8\xlr8d.exe" --ae --sm (file missing)
O23 - Service: GridIron XLR8 Peer #1 (XLR8PEER1) - Unknown owner - C:\Program Files\XLR8\xlr8d.exe" --pm 1 (file missing)


And the Pandascan Log:
Incident Status Location

Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/webhancer Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jamie Warren\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-7e09d0a6-66f122e4.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jamie Warren\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-7e09d0a6-66f122e4.zip[NewURLClassLoader.class]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jamie Warren\Cookies\jamie warren@adrevolver[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jamie Warren\Cookies\jamie warren@advertising[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Jamie Warren\Cookies\jamie warren@as-us.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jamie Warren\Cookies\jamie warren@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jamie Warren\Cookies\jamie warren@atwola[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Jamie Warren\Cookies\jamie warren@cgi-bin[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Jamie Warren\Cookies\jamie warren@cgi-bin[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jamie Warren\Cookies\jamie warren@doubleclick[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Jamie Warren\Cookies\jamie warren@errorsafe[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jamie Warren\Cookies\jamie warren@realmedia[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jamie Warren\Cookies\jamie warren@tribalfusion[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Jamie Warren\Cookies\jamie warren@www.errorsafe[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jamie Warren\Cookies\jamie warren@zedo[2].txt

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:27 AM

Posted 16 July 2006 - 10:36 AM

Hello spagtscully and welcome to the BC HijackThis forum. It looks like there might have been a Haxdoor infection. Let's check and see if it is completely gone.

Download HaxFix
  • Double click on haxfix.exe to install the program (the standard installation path is c:\program Files\haxfix).
  • Checkmark Create a desktop icon.
  • Click Next.
  • When the installation is completed, make sure that Launch haxfix is checked.
  • Click Finish.
  • A red "dos window" (dos box) will open with the options:
    • 1. Make logfile
      2. Run auto fix
      3. Run manual fix
      4. Goldunfix
      E. Exit Haxfix
  • Close all other open windows since this step requires a reboot.
  • Select option 4. Run goldun fix by typing 4 and then pressing Enter.
  • If an infection is found, you'll get a message to close all other open windows.
  • Close all open windows except the red dos window from Goldunfix and then press Enter.
  • The computer will reboot.
  • After reboot a logfile will open. (c:\goldunlog.txt)
Post the log from HaxFix along with a new HijackThis log and I will review the information when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 spagtscully

spagtscully
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado
  • Local time:08:27 AM

Posted 16 July 2006 - 05:25 PM

Actually I just reformatted my computer the day this morning. It was having way too many issues. I appriciate the response and help. This thread can be closed. :thumbsup: :flowers:

Edited by spagtscully, 16 July 2006 - 05:26 PM.


#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:27 AM

Posted 16 July 2006 - 05:35 PM

k. This topic is closed.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users