Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help


  • This topic is locked This topic is locked
4 replies to this topic

#1 sueum97

sueum97

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 02 August 2006 - 10:53 PM

Can you please check this out and let me know what I should remove?

Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 11:52, on 8/2/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\TMPFW.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCGUIDE.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\COMMON FILES\DATAVIZ\DVZINCMSGR.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\TMPROXY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F1 - win.ini: run=C:\WINDOWS\hpfsched.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\32870i6t.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\32870i6t.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [LoadBlackD] C:\WINDOWS\BLACKD.EXE
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O15 - Trusted Zone: www.walgreens.com
O15 - Trusted Zone: dashboardanywhere.chrysler.com
O15 - Trusted Zone: *.chrysler.com
O15 - Trusted Zone: *.marriott.com
O15 - Trusted Zone: *.ticketmaster.com
O15 - Trusted Zone: *.monster.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: my.cigna.com
O15 - Trusted Zone: www.consumerreports.org
O15 - Trusted Zone: http://www.bankone.com
O15 - Trusted Zone: *.bankone.com
O15 - Trusted Zone: www.online.firstusa.com
O15 - Trusted Zone: online.firstusa.com
O15 - Trusted Zone: www.shop.intuit.com
O15 - Trusted Zone: http://www.wynnlasvegas.com
O15 - Trusted Zone: *.aaamich.com
O15 - Trusted Zone: ww2.aaa.com
O15 - Trusted Zone: www.wizards.com
O15 - Trusted Zone: sshcdm06.extra.daimlerchrysler.com
O15 - Trusted Zone: http://www.gencon.com
O15 - Trusted Zone: http://registration.gencon.com
O15 - Trusted Zone: http://www.gm.com
O15 - Trusted Zone: www.majorgeeks.com
O15 - Trusted Zone: http://www.majorgeeks.com
O15 - Trusted Zone: http://www.macromedia.com
O15 - Trusted Zone: http://www.buick.com
O15 - Trusted Zone: http://www.autoclubgroup.com
O15 - Trusted Zone: http://*.photoworks.com
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.spiritair.com/CFIDE/classes/CFJava.cab
O16 - DPF: {7B461720-5910-45A3-B617-3B53A972F209} (Pixami-PhotoWorks Upload UI Control) - http://services.photoworks.com/Pixami/PixamiSFWUploader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...262/mcfscan.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.basf.com/iNotes.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup141.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://sshcdm06.extra.daimlerchrysler.com/iNotes6.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://irc.everywherechat.com:8000/Java/cfs40320.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} -

BC AdBot (Login to Remove)

 


#2 sueum97

sueum97
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 06 August 2006 - 01:34 PM

Can you please investigate - I still haven't heard from anyone - it's been 4 days. Thanks!

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:20 AM

Posted 11 August 2006 - 03:01 PM

Welcome to the Bleeping Computer forum. We are currently studying your log and will have instructions for you shortly. Thank you for your patience.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:20 AM

Posted 13 August 2006 - 04:23 PM

Step 1
Please disable Spybot S&D TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box
You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

Step 2
There are several reasons for putting HijackThis into its own folder.
  • HijackThis is an analysis AND a repair tool. When you fix something in HijackThis, you are deleting a bad entry in the Windows Registry. In case of a mistake being made, there is a reversal for line entry deletions. HijackThis creates a new file which is a backup log of changes and you can reverse the line entry deletion. BUT...HijackThis needs a safe folder to keep these critical backup logs and a temp folder is definitely not safe as you might run Disk Cleanup and delete them.
  • If you save HijackThis to your desktop, you may easily lose track of the backup log in the wallpaper area (or someone might delete the backup file by dragging it to the Recycle Bin).
  • If you run HijackThis from a zip folder, backups may not be made.
  • If you run HijackThis from a Local Settings Temporary folder in XP or Windows 2000, when you post for help on a forum, the resulting text log will usually show your full name in a line entry since your Windows user profile is commonly named with your full name. When you copy and paste your log, HijackThis provides a line entry showing the path to its running folder. If you use another folder like HijackThis in the root of the C: drive (as recommended) then your Profile Name will NOT be displayed in the log.
Please download HijackThis Self-installer
  • This is the easiest way to install HijackThis to your computer
  • This is a complete installer that installs HijackThis on the computer to C:\Program Files\HijackThis.
  • It makes an entry in the start menu
  • It allows you to have a shortcut on your desktop as well.
  • HijackThis is currently at Version 1.99.1 released on 16.02.2005.
  • It is important that you uninstall any previous versions by using Add/Remove programs in your control panel before installing a newer version.
Step 3

Please download Spybot S&D

Using Spybot Search and Destroy To Remove Spyware From Your Computer Please check this link for instructions on how to download, install and use Spybot S&D. Run this program as soon as possible.

Step 4

Please download Ad-Aware SE

Using Ad-Aware To Remove Spyware From Your Computer Please check this link for instructions on how to download, install and use Ad-Aware. Run this program as soon as possible.

Step 5

Download and Install Ewido
Please print out the following instructions as this page will be unavailable to you while you are working in Safe Mode.
Please download ewido anti-spyware
  • Install ewido anti-spyware.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu."
  • Launch ewido, there should be an ewido anti-spyware icon on your desktop, double-click it.
  • The program will prompt you to update; click the "OK" button
  • The program will now go to the main screen
  • On the left hand side of the main screen click update
  • Click on Start
    The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.
    Note: Ewido is a free trial product for 30 days. Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 30 days (which is the reason we uncheck them during installation). You can use Ewido as an on demand scanner (recommended) but you will have to manually update the definition file each time you scan by clicking on “Update” and “Start Update”.
    If you decide to purchase Ewido, you can enable the 'Realtime Protect' and 'Automatic Update' functions by clicking on the 'Status' bar (Top left) and clicking on both items under "Your Security Status".

    IMPORTANT!:

    Once the updates are installed do the following:
  • If you have an "always on" connection to the Internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
  • Reboot into Safe Mode, you can do this by restarting your computer, then repeatedly tap F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run ewido.
  • Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
    Scan with ewido:
  • Click on scanner
  • Click on Settings
    • Under "How to scan" all boxes should be selected
    • Under "Possibly unwanted software" all boxes should be selected
    • Under "What to scan" select scan every file
    • Click OK
  • Click on Complete system scan
  • Let the program scan the machine
  • If ewido finds anything, it will pop up a notification. NOTE: We have been finding some cases of false positives with the new version of Ewido, so you need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged. In particular, watch for alerts that have the word "Heuristic" in them - if you recognize the file name as "friendly," these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being.
    Save and Post Your Report:
    Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
  • Click Save report
  • Save the report to your desktop
  • Exit ewido
Reboot back into normal mode
When you are ready to post your next reply, double click on the saved report to open it, then use Ctrl + A to select all text, then Ctrl + C to copy the selected text to your clipboard. Next, open a new reply to your active topic in the forum, and use Ctrl + V to paste the copied text of the ewido log from your clipboard into your reply.
Step 6
When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, please write down the filenames and locations and post that in your reply.
Step 7
Please download the ATF-Cleaner ATF-Cleaner features include:
  • Cleaning of all user temp folders, administrator only can use this feature.
  • Cleaning of the Java cache, which seems to be harbouring more and more malware.
  • Cleaning for the Opera browser, including Operas cache, cookies, history, download history, saved passwords and visited links
Do not run it yet.
Step 8
You may want to print out this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Now we will address the HijackThis fixes.

Please run HijackThis and click "Scan." Place checks next to the following entries (make sure not to miss any):

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup141.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} -


If you did not add the domains below to the Trusted Zones yourself, have HijackThis fix it.
O15 - Trusted Zone: www.walgreens.com
O15 - Trusted Zone: dashboardanywhere.chrysler.com
O15 - Trusted Zone: *.chrysler.com
O15 - Trusted Zone: *.marriott.com
O15 - Trusted Zone: *.ticketmaster.com
O15 - Trusted Zone: *.monster.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: my.cigna.com
O15 - Trusted Zone: www.consumerreports.org
O15 - Trusted Zone: http://www.bankone.com
O15 - Trusted Zone: *.bankone.com
O15 - Trusted Zone: www.online.firstusa.com
O15 - Trusted Zone: online.firstusa.com
O15 - Trusted Zone: www.shop.intuit.com
O15 - Trusted Zone: http://www.wynnlasvegas.com
O15 - Trusted Zone: *.aaamich.com
O15 - Trusted Zone: ww2.aaa.com
O15 - Trusted Zone: www.wizards.com
O15 - Trusted Zone: sshcdm06.extra.daimlerchrysler.com
O15 - Trusted Zone: http://www.gencon.com
O15 - Trusted Zone: http://registration.gencon.com
O15 - Trusted Zone: http://www.gm.com
O15 - Trusted Zone: www.majorgeeks.com
O15 - Trusted Zone: http://www.majorgeeks.com
O15 - Trusted Zone: http://www.macromedia.com
O15 - Trusted Zone: http://www.buick.com
O15 - Trusted Zone: http://www.autoclubgroup.com
O15 - Trusted Zone: http://*.photoworks.com


Close all browsers and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Step 9

Let’s run ATF Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 10

Please run HijackThis again and post a fresh log so I can make sure that all the malware was deleted according to plan
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:20 AM

Posted 25 August 2006 - 01:25 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users