Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

t.swapx and win-eto hijacker


  • Please log in to reply
8 replies to this topic

#1 seb

seb

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 06 December 2004 - 08:12 PM

i have run spy bot and adaware but they keep coming up withthe same stuff
over and over again.here is my hijack this log
Logfile of HijackThis v1.98.2
Scan saved at 8:23:00 PM, on 12/6/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\khooker.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\paprport\pptd40nt.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\WINNT\system32\sistray.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\System32\57xt5oee30thd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\tsa\ts2.exe
C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\seb\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\W8C6S4~3.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\system32\sistray.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Control handler] C:\WINNT\System32\57xt5oee30thd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: winlogin.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{51A02620-4568-4DD6-9ADD-1CBE33AF32E8}: NameServer = 192.168.0.1,199.166.210.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{F96FAD51-1F37-4B12-A4B7-B9167E3152E8}: NameServer = 64.187.19.67 66.38.173.67
O20 - AppInit_DLLs: ljzl5zeybpn1um.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

any help would be appriciated

BC AdBot (Login to Remove)

 


m

#2 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:12:41 AM

Posted 08 December 2004 - 05:43 AM

Hi seb,

I'll be looking after the review and fix of your malware infections. I'll get back to you as soon as possible.

#3 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:12:41 AM

Posted 08 December 2004 - 09:35 AM

Hi seb,

Your log shows that you are a little behind on Windows updates.
It is essential that you update your Windows before we continue to help you as the infections could reoccur. Go to http://www.windowsupdate.com and if it asks to install software, let it. Then click on the Scan link and let it do its thing.

When its done you will see on your left a section called critical updates. Click on that section and install everything that you can. When it prompts you to reboot, do so. Then repeat this process again until there are no more critical updates listed.

Run HijackThis and post a new log here.

#4 seb

seb
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 08 December 2004 - 08:11 PM

hey thanks for the quicker than expected response, i've installed the updates and ran the hijack this program again here is the new log
Logfile of HijackThis v1.98.2
Scan saved at 8:19:51 PM, on 12/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\khooker.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\paprport\pptd40nt.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\WINNT\system32\sistray.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\System32\57xt5oee30thd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\tsa\ts2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\seb\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\W8C6S4~3.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\system32\sistray.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Control handler] C:\WINNT\System32\57xt5oee30thd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: winlogin.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{51A02620-4568-4DD6-9ADD-1CBE33AF32E8}: NameServer = 192.168.0.1,199.166.210.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{F96FAD51-1F37-4B12-A4B7-B9167E3152E8}: NameServer = 64.187.19.67 66.38.173.67
O20 - AppInit_DLLs: dpk5tfmkusm2ye.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

again thanl you for the help,this thing sucks to have on ky pc!!!

#5 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:12:41 AM

Posted 09 December 2004 - 06:10 AM

Hi seb,

It is a good idea to print or copy these instructions because you are not able to access the Internet in Safe Mode.

You have two O17 - HKLM\System\CCS\Services\Tcpip..... entries that can be used by hijackers to send you to their servers. If you do not recognize these as being you Internet Service Provider or Company server then please mark them to be fixed in step 7.

Before we fix the main malware please uninstall TSA from Add\Remove Programs.
Click Remove, Select Automatic Uninstall or Custom (select all entries to remove them).

1. Download CWShredder from here
After you download the program, unzip it into a directory. Don't use it yet.

2. Download Ad-aware SE: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

3. Download System Security Suite here:System Security Suite Download & Tutorial. Unzip it to your desktop. Install the program. Don't use it yet.

4. Download the Hoster from here. Unzip the program to your desktop. Don't use it yet.

5. Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.

REGEDIT4

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]
[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]
[-HKEY_CLASSES_ROOT\redalert.here]
[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]


6. Download KillBox here: KillBox. Unzip it to your desktop.

Start Killbox.exe

Select the Delete on reboot option.

Copy and paste each of the following file(s) to the address bar:

C:\WINNT\system32\W8C6S4~3.DLL

C:\WINNT\system32\dpk5tfmkusm2ye.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

C:\WINNT\System32\57xt5oee30thd.exe


After each file press the Delete button (the button that looks like a red circle with a white X in it).

A dialog box will ask if you want to delete and reboot now - on all but the last file, answer No
For the last file (or first, if only one file), answer Yes

On restart, verify that the files have been deleted.

Please reboot into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

7. Run HijackThis!, press Scan, and put a check mark next to all these:O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\system32\W8C6S4~3.DLL
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: dpk5tfmkusm2ye.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
O4 - HKLM\..\Run: [Control handler] C:\WINNT\System32\57xt5oee30thd.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O15 - Trusted Zone: *.greg-search.com
Optional RemovesO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Resource hog that launches common MS Office components to help speed up the launch of Office programs. There are doubts that there is any difference with it loaded.


Close all other windows and browsers, and press the Fix Checked button.

8. Search for these files and delete them if found:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe <-- this file, please read the note below
Note: there is a legitimate Windows file with a similar name: winlogon.exe in the c:\WINNT\system32\ folder. Do not delete the legitimate winlogon.exe file.
Note the difference:
winlogin.exe - bad file
winlogon.exe - legitimate Windows file

C:\WINNT\system32\W8C6S4~3.DLL

C:\WINNT\System32\57xt5oee30thd.exe

Delete these folders:
C:\Program Files\Common Files\tsa

9. Make sure all browser windows are closed and run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.

10. Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

11. With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

12. Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

13. Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

14. Locate Hoster on your desktop, press Restore Original Hosts and press OK. Exit Program. This will restore the Hosts file.

15. REBOOT normally. Run HijackThis! again and post a new log please.

#6 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:12:41 AM

Posted 09 December 2004 - 02:09 PM

Hi seb,

If you haven't actioned the fix above could you please do this first in case you need the backups:

You are running HijackThis from a temporary folder. When run from a temporary folder, the backups HijackThis
makes may accidentally get deleted, so please put HijackThis into a permanent folder.
Full instructions on how to do this can be found here:Detailed Explanation
Brief instructions to create a permanent folder are:
  • Click My Computer, then C:\
  • In the menu bar, File->New->Folder.
  • That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
  • Now you have C:\HJT\ folder.
  • Put your HijackThis.exe there.

Edited by penmore, 09 December 2004 - 02:10 PM.


#7 seb

seb
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 11 December 2004 - 08:04 PM

hey i was assisted in removal of this t. swapx thing but i have lost my entry in the forum and can't find it but here is my new log. you guys rock i think i am free!!!!!

here's the log
Logfile of HijackThis v1.98.2
Scan saved at 8:15:47 PM, on 12/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\khooker.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\paprport\pptd40nt.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\WINNT\system32\sistray.EXE
C:\WINNT\system32\pctspk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\seb\Local Settings\Temp\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\system32\sistray.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{51A02620-4568-4DD6-9ADD-1CBE33AF32E8}: NameServer = 192.168.0.1,199.166.210.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{F96FAD51-1F37-4B12-A4B7-B9167E3152E8}: NameServer = 64.187.19.67 66.38.173.67

thanks again

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:06:41 PM

Posted 12 December 2004 - 12:16 PM

i have lost my entry in the forum

Huh :flowers: . Use "My control panel" :thumbsup:

I merged your topics.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#9 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:12:41 AM

Posted 12 December 2004 - 02:23 PM

Hi seb,

Your log looks clean, well done!!

I notice that you didn't manage to move HijackThis into its own folder on the c:\ drive.
If you are going to leave it installed will you please follow the instructions I gave
earlier and move in into it's own folder on the C:\ drive.

If you have difficulty finding a post you started in the forum just use the search facility and type your pen name (seb) into the box and the right, choose the HijackThis forum on the left and click the search button.

The infection that you had was quite serious and may not be as easy to remove in the future, if you
become infected again. To ensure that you have the best possible protection then please read through the items
I have listed below and implement any of the protective measures that I have outlined and that you do
not have at the moment.
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and reenable system restore here:Renable system restore with instructions from tutorial above.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
    See this link for a listing of some online & their stand-alone antivirus programs:Virus, Spyware, and Malware Protection and Removal Resources
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
    For a tutorial on Firewalls and a listing of some available ones see the link below:Understanding and Using Firewalls
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit Windows Update Site regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
    A tutorial on installing & using this product can be found here:Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
    A tutorial on installing & using this product can be found here:Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    A tutorial on installing & using this product can be found here:Using SpywareBlaster to protect your computer from Spyware and Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Edited by penmore, 12 December 2004 - 02:23 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users