Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log analysis please


  • Please log in to reply
55 replies to this topic

#1 crgb

crgb

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 02 December 2004 - 11:22 AM

Have a problem with Common Highjacker and IGetNet which keep cropping up inspite of running Ad-Aware SE and Spybot. Logs follow as requested elsewhere:

Logfile of HijackThis v1.98.2
Scan saved at 16:13:40, on 12/02/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\program files\FinePixViewer\QuickDCF.exe
C:\program files\stickies\stickies.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\program files\VX2Finder(126).exe
C:\program files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oemji.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
O1 - Hosts: 127.112.112.13 www.symantec.com
O1 - Hosts: 127.169.78.39 securityresponse.symantec.com
O1 - Hosts: 127.170.125.23 symantec.com
O1 - Hosts: 127.185.224.177 www.mcafee.com
O1 - Hosts: 127.39.48.113 mcafee.com
O1 - Hosts: 127.67.116.217 us.mcafee.com
O1 - Hosts: 127.9.5.227 www.sophos.com
O1 - Hosts: 127.35.206.114 sophos.com
O1 - Hosts: 127.199.225.85 www.viruslist.com
O1 - Hosts: 127.202.202.166 viruslist.com
O1 - Hosts: 127.238.166.116 f-secure.com
O1 - Hosts: 127.54.43.42 www.f-secure.com
O1 - Hosts: 127.19.187.94 kaspersky.com
O1 - Hosts: 127.35.19.242 www.avp.com
O1 - Hosts: 127.229.215.134 www.kaspersky.com
O1 - Hosts: 127.88.186.107 avp.com
O1 - Hosts: 127.161.178.77 www.networkassociates.com
O1 - Hosts: 127.35.111.173 networkassociates.com
O1 - Hosts: 127.88.111.13 www.ca.com
O1 - Hosts: 127.98.24.36 ca.com
O1 - Hosts: 127.195.208.132 my-etrust.com
O1 - Hosts: 127.168.163.146 www.my-etrust.com
O1 - Hosts: 127.156.161.221 secure.nai.com
O1 - Hosts: 127.95.39.133 nai.com
O1 - Hosts: 127.181.210.211 www.nai.com
O1 - Hosts: 127.247.168.155 trendmicro.com
O1 - Hosts: 127.64.57.151 www.trendmicro.com
O1 - Hosts: 127.133.185.24 housecall.trendmicro.com
O1 - Hosts: 127.8.0.135 www.pandasoftware.com
O1 - Hosts: 127.88.117.199 www.bitdefender.com
O1 - Hosts: 127.145.24.214 www.ravantivirus.com
O1 - Hosts: 127.115.128.29 www3.ca.com
O1 - Hosts: 127.78.81.180 v4.windowsupdate.microsoft.com
O1 - Hosts: 127.240.16.15 windowsupdate.microsoft.com
O1 - Hosts: 127.112.236.154 www.windowsupdate.com
O1 - Hosts: 127.172.53.37 windowsupdate.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinDriv32] C:\WINDOWS\System32\WinDriv32.exe
O4 - HKLM\..\Run: [SystemLoad] dlldisk.exe -services
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [SystemLoad] dlldisk.exe -services
O4 - HKCU\..\Run: [SystemLoad] dlldisk.exe -drivers
O4 - Startup: Stickies.lnk = C:\program files\stickies\stickies.exe
O4 - Global Startup: Exif Launcher.lnk = C:\program files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Decide & Deliver - {70F4628B-D85C-4e28-B411-D8FBA98BDE43} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_6_0.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1EEBF28-837A-42F4-90CF-CB7B617FCE61}: NameServer = 194.72.9.38 194.74.65.69



Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
Telephony
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{38A9993C-5BD7-496C-8C6F-35F01660DCD4}

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:37 PM

Posted 02 December 2004 - 01:17 PM

Hi

Download Ad-aware SE 1.05: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

Download and install VX2 Cleaner.

Open Ad-Aware, go to Add-ons, click the Tools tab and select VX2 Cleaner. Press the Run Tool button.

REBOOT your machine.

Run HijackThis! again and post a new log please.

Edited by cryo, 02 December 2004 - 01:17 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 crgb

crgb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 02 December 2004 - 02:27 PM

So far so good:

Logfile of HijackThis v1.98.2
Scan saved at 19:24:26, on 12/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\program files\FinePixViewer\QuickDCF.exe
C:\program files\stickies\stickies.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\program files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oemji.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
O1 - Hosts: 127.112.112.13 www.symantec.com
O1 - Hosts: 127.169.78.39 securityresponse.symantec.com
O1 - Hosts: 127.170.125.23 symantec.com
O1 - Hosts: 127.185.224.177 www.mcafee.com
O1 - Hosts: 127.39.48.113 mcafee.com
O1 - Hosts: 127.67.116.217 us.mcafee.com
O1 - Hosts: 127.9.5.227 www.sophos.com
O1 - Hosts: 127.35.206.114 sophos.com
O1 - Hosts: 127.199.225.85 www.viruslist.com
O1 - Hosts: 127.202.202.166 viruslist.com
O1 - Hosts: 127.238.166.116 f-secure.com
O1 - Hosts: 127.54.43.42 www.f-secure.com
O1 - Hosts: 127.19.187.94 kaspersky.com
O1 - Hosts: 127.35.19.242 www.avp.com
O1 - Hosts: 127.229.215.134 www.kaspersky.com
O1 - Hosts: 127.88.186.107 avp.com
O1 - Hosts: 127.161.178.77 www.networkassociates.com
O1 - Hosts: 127.35.111.173 networkassociates.com
O1 - Hosts: 127.88.111.13 www.ca.com
O1 - Hosts: 127.98.24.36 ca.com
O1 - Hosts: 127.195.208.132 my-etrust.com
O1 - Hosts: 127.168.163.146 www.my-etrust.com
O1 - Hosts: 127.156.161.221 secure.nai.com
O1 - Hosts: 127.95.39.133 nai.com
O1 - Hosts: 127.181.210.211 www.nai.com
O1 - Hosts: 127.247.168.155 trendmicro.com
O1 - Hosts: 127.64.57.151 www.trendmicro.com
O1 - Hosts: 127.133.185.24 housecall.trendmicro.com
O1 - Hosts: 127.8.0.135 www.pandasoftware.com
O1 - Hosts: 127.88.117.199 www.bitdefender.com
O1 - Hosts: 127.145.24.214 www.ravantivirus.com
O1 - Hosts: 127.115.128.29 www3.ca.com
O1 - Hosts: 127.78.81.180 v4.windowsupdate.microsoft.com
O1 - Hosts: 127.240.16.15 windowsupdate.microsoft.com
O1 - Hosts: 127.112.236.154 www.windowsupdate.com
O1 - Hosts: 127.172.53.37 windowsupdate.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinDriv32] C:\WINDOWS\System32\WinDriv32.exe
O4 - HKLM\..\Run: [SystemLoad] dlldisk.exe -services
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [SystemLoad] dlldisk.exe -services
O4 - HKCU\..\Run: [SystemLoad] dlldisk.exe -drivers
O4 - Startup: Stickies.lnk = C:\program files\stickies\stickies.exe
O4 - Global Startup: Exif Launcher.lnk = C:\program files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Decide & Deliver - {70F4628B-D85C-4e28-B411-D8FBA98BDE43} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_6_0.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:37 PM

Posted 02 December 2004 - 03:35 PM

Hi

Download IGN Keywords uninstaller - http://www.igetnet.com/downloads/NLNuninstall.exe

Download Adware Away - http://adwareaway.com/download/AdwareAway.exe

REBOOT in SafeMode

Run IGN Keywords uninstaller.

Run Adware Away. Click Remove Hijackers, then IGetNet Hijacker. Press the Scan One button. Remove anything it finds.

REBOOT normally and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 crgb

crgb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 02 December 2004 - 05:38 PM

Can't download the first item - site unavailable - will try tomorrow.

#6 crgb

crgb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 03 December 2004 - 02:35 AM

Still can't access IGN Keywords uninstaller.

#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:37 PM

Posted 03 December 2004 - 02:39 AM

No problem. The fix doesn't work. This is a brand new Look2me infection. Post please a new HijackThis log. We will fix the other malware.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#8 crgb

crgb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 03 December 2004 - 04:56 AM

Logfile of HijackThis v1.98.2
Scan saved at 09:55:27, on 12/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\program files\FinePixViewer\QuickDCF.exe
C:\program files\stickies\stickies.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\program files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edit.europe.yahoo.com/config/login?...t.yahoo.com/%3f
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
O1 - Hosts: 127.112.112.13 www.symantec.com
O1 - Hosts: 127.169.78.39 securityresponse.symantec.com
O1 - Hosts: 127.170.125.23 symantec.com
O1 - Hosts: 127.185.224.177 www.mcafee.com
O1 - Hosts: 127.39.48.113 mcafee.com
O1 - Hosts: 127.67.116.217 us.mcafee.com
O1 - Hosts: 127.9.5.227 www.sophos.com
O1 - Hosts: 127.35.206.114 sophos.com
O1 - Hosts: 127.199.225.85 www.viruslist.com
O1 - Hosts: 127.202.202.166 viruslist.com
O1 - Hosts: 127.238.166.116 f-secure.com
O1 - Hosts: 127.54.43.42 www.f-secure.com
O1 - Hosts: 127.19.187.94 kaspersky.com
O1 - Hosts: 127.35.19.242 www.avp.com
O1 - Hosts: 127.229.215.134 www.kaspersky.com
O1 - Hosts: 127.88.186.107 avp.com
O1 - Hosts: 127.161.178.77 www.networkassociates.com
O1 - Hosts: 127.35.111.173 networkassociates.com
O1 - Hosts: 127.88.111.13 www.ca.com
O1 - Hosts: 127.98.24.36 ca.com
O1 - Hosts: 127.195.208.132 my-etrust.com
O1 - Hosts: 127.168.163.146 www.my-etrust.com
O1 - Hosts: 127.156.161.221 secure.nai.com
O1 - Hosts: 127.95.39.133 nai.com
O1 - Hosts: 127.181.210.211 www.nai.com
O1 - Hosts: 127.247.168.155 trendmicro.com
O1 - Hosts: 127.64.57.151 www.trendmicro.com
O1 - Hosts: 127.133.185.24 housecall.trendmicro.com
O1 - Hosts: 127.8.0.135 www.pandasoftware.com
O1 - Hosts: 127.88.117.199 www.bitdefender.com
O1 - Hosts: 127.145.24.214 www.ravantivirus.com
O1 - Hosts: 127.115.128.29 www3.ca.com
O1 - Hosts: 127.78.81.180 v4.windowsupdate.microsoft.com
O1 - Hosts: 127.240.16.15 windowsupdate.microsoft.com
O1 - Hosts: 127.112.236.154 www.windowsupdate.com
O1 - Hosts: 127.172.53.37 windowsupdate.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinDriv32] C:\WINDOWS\System32\WinDriv32.exe
O4 - HKLM\..\Run: [SystemLoad] dlldisk.exe -services
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [SystemLoad] dlldisk.exe -services
O4 - HKCU\..\Run: [SystemLoad] dlldisk.exe -drivers
O4 - Startup: Stickies.lnk = C:\program files\stickies\stickies.exe
O4 - Global Startup: Exif Launcher.lnk = C:\program files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Decide & Deliver - {70F4628B-D85C-4e28-B411-D8FBA98BDE43} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_6_0.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1EEBF28-837A-42F4-90CF-CB7B617FCE61}: NameServer = 194.72.9.38 194.74.65.69

#9 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:37 PM

Posted 03 December 2004 - 06:15 AM

Hi

P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.
You can unistall this program from Add\Remove Programs.
P2P Networking

Please do me a favour and send this file here: [edited]@yahoo.com if you can find it on your HDD:
dlldisk.exe <-- this file

I found no information about it and it could be a part of the Look2me infection. If it is it will help us to find a fix for it.

Thank you

You have Messenger Plus installed. This program is known to install malware. I would advise that you remove this program from your computer.

When choosing anti-spyware protection, you should rely on products with deserved reputations and proven track records:
SpySpotter is a rogue anti-spy software.
http://www.spywarewarrior.com/rogue_anti-spyware.htm
You can use these free programs: Ad-Aware SE, Spybot Search & Destroy + SpywareBlaster.
Please uninstall SpySpotter from Add\Remove Programs if found.

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O1 - Hosts: 127.112.112.13 www.symantec.com
O1 - Hosts: 127.169.78.39 securityresponse.symantec.com
O1 - Hosts: 127.170.125.23 symantec.com
O1 - Hosts: 127.185.224.177 www.mcafee.com
O1 - Hosts: 127.39.48.113 mcafee.com
O1 - Hosts: 127.67.116.217 us.mcafee.com
O1 - Hosts: 127.9.5.227 www.sophos.com
O1 - Hosts: 127.35.206.114 sophos.com
O1 - Hosts: 127.199.225.85 www.viruslist.com
O1 - Hosts: 127.202.202.166 viruslist.com
O1 - Hosts: 127.238.166.116 f-secure.com
O1 - Hosts: 127.54.43.42 www.f-secure.com
O1 - Hosts: 127.19.187.94 kaspersky.com
O1 - Hosts: 127.35.19.242 www.avp.com
O1 - Hosts: 127.229.215.134 www.kaspersky.com
O1 - Hosts: 127.88.186.107 avp.com
O1 - Hosts: 127.161.178.77 www.networkassociates.com
O1 - Hosts: 127.35.111.173 networkassociates.com
O1 - Hosts: 127.88.111.13 www.ca.com
O1 - Hosts: 127.98.24.36 ca.com
O1 - Hosts: 127.195.208.132 my-etrust.com
O1 - Hosts: 127.168.163.146 www.my-etrust.com
O1 - Hosts: 127.156.161.221 secure.nai.com
O1 - Hosts: 127.95.39.133 nai.com
O1 - Hosts: 127.181.210.211 www.nai.com
O1 - Hosts: 127.247.168.155 trendmicro.com
O1 - Hosts: 127.64.57.151 www.trendmicro.com
O1 - Hosts: 127.133.185.24 housecall.trendmicro.com
O1 - Hosts: 127.8.0.135 www.pandasoftware.com
O1 - Hosts: 127.88.117.199 www.bitdefender.com
O1 - Hosts: 127.145.24.214 www.ravantivirus.com
O1 - Hosts: 127.115.128.29 www3.ca.com
O1 - Hosts: 127.78.81.180 v4.windowsupdate.microsoft.com
O1 - Hosts: 127.240.16.15 windowsupdate.microsoft.com
O1 - Hosts: 127.112.236.154 www.windowsupdate.com
O1 - Hosts: 127.172.53.37 windowsupdate.com

O4 - HKLM\..\Run: [WinDriv32] C:\WINDOWS\System32\WinDriv32.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile

O9 - Extra button: Decide & Deliver - {70F4628B-D85C-4e28-B411-D8FBA98BDE43} - (no file)

O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
C:\WINDOWS\System32\WinDriv32.exe <-- this file
C:\WINDOWS\System32\twink64.exe <-- this file

Delete these folders:
C:\WINDOWS\System32\P2P Networking\ <-- this folder

Empty the Recycle Bin.

REBOOT normally.

Run HijackThis! again and post a new log please.

Edited by cryo, 18 December 2004 - 07:44 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#10 crgb

crgb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 03 December 2004 - 07:29 AM

All done! I uninstalled P2p Networking and Messenger Plus before starting on the SafeMode bit. Couldn't find dlldisk.exe. Also, the Recycle bin shows nothing in it at all times.

Log follows:

Logfile of HijackThis v1.98.2
Scan saved at 12:25:34, on 12/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\program files\FinePixViewer\QuickDCF.exe
C:\program files\stickies\stickies.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\program files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edit.europe.yahoo.com/config/login?...t.yahoo.com/%3f
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SystemLoad] dlldisk.exe -services
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [SystemLoad] dlldisk.exe -services
O4 - HKCU\..\Run: [SystemLoad] dlldisk.exe -drivers
O4 - Startup: Stickies.lnk = C:\program files\stickies\stickies.exe
O4 - Global Startup: Exif Launcher.lnk = C:\program files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_6_0.cab

#11 crgb

crgb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 03 December 2004 - 12:51 PM

Looked at the Recycle bin again. it appears empty but when I go to empty it, it asks if I want to delete these 6 items (which are not showing). If I click yes, they are still there when I repeat the empty command. Any clue?

Thanks for all this, by the way.

#12 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:37 PM

Posted 03 December 2004 - 01:12 PM

Any clue?

Yes, Recycle Bin is damaged by the Look2Me infection.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#13 crgb

crgb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 06 December 2004 - 10:20 AM

Hello. How's it going? You still there?

#14 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:37 PM

Posted 06 December 2004 - 10:29 AM

Hi,

I saw only one succesful removal of this infection today. I'm studying now the method. There is no definitive fix for this new variant.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#15 crgb

crgb
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 06 December 2004 - 10:38 AM

Hi - good luck - I'll hang on in and await developments.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users