Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

again 69.20.16.183


  • Please log in to reply
3 replies to this topic

#1 Triangle

Triangle

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 11 December 2004 - 08:56 PM

[COLOR=blue][SIZE=7]HI! I have spent already 3 days trying to clean my PC from "unknown" spy keeping put redirection string to the HOSTS and starting randomly IE windows with advertisings. I have tried Spybot, Ad-aware,Spy-Sweeper,Trend-Macro,CWSredder,and couple more simular products- no effect....
Here is my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 20:53:50, on 11.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\CTSvcCDA.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\rundll32.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\devldr32.exe
D:\PROGRA~1\PopOops\PopOops.exe
D:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
D:\WINNT\system32\internat.exe
D:\Program Files\DS Clock\dsclock.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
D:\Program Files\Far\Far.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Outlook Express\msimn.exe
C:\INSTALL\spy_removers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [UpdReg] D:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [PopOops] D:\PROGRA~1\PopOops\PopOops.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [DS Clock] "D:\Program Files\DS Clock\dsclock.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: YahooPOPs.lnk = D:\Program Files\YahooPOPs\YahooPOPs.exe
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O10 - Broken Internet access because of LSP provider 'd:\program files\newdotnet\newdotnet6_38.dll' missing

BC AdBot (Login to Remove)

 


#2 Triangle

Triangle
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 11 December 2004 - 09:51 PM

In addition I am posting FIND IT log
=======================================
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Том в устройстве D не имеет метки.
Серийный номер тома: 44C5-C04F

Содержимое папки D:\WINNT\System32

11.12.2004 19:52 225 049 cyetcfg.dll
11.12.2004 19:52 225 588 lvlq0935e.dll
11.12.2004 19:26 <DIR> dllcache
11.12.2004 10:36 225 049 i0420ahoed4c0.dll
11.12.2004 10:23 225 049 fpjm0311e.dll
11.12.2004 00:25 224 716 fp8o03l3e.dll
10.12.2004 21:57 225 537 l40u0ed9eh0.dll
10.12.2004 20:52 225 792 mvnml9511.dll
10.12.2004 20:47 224 928 hrr2059oe.dll
10.12.2004 20:43 225 169 k6lq0g35e6.dll
10.12.2004 20:34 224 633 fpn2035oe.dll
10.12.2004 20:29 223 213 fpn0035me.dll
10.12.2004 19:57 223 213 mfpdox35.dll
10.12.2004 18:12 224 633 NUWKS.DLL
13 файлов 2 922 569 байт
1 папок 11 629 096 960 байт свободно

------- Hidden Files in System32 Directory -------

Том в устройстве D не имеет метки.
Серийный номер тома: 44C5-C04F

Содержимое папки D:\WINNT\System32

11.12.2004 19:26 <DIR> dllcache
11.10.2004 20:12 <DIR> GroupPolicy
11.10.2004 20:05 22 109 folder.htt
11.10.2004 20:05 271 desktop.ini
2 файлов 22 380 байт
2 папок 11 629 096 960 байт свободно

---------- Files Named "Guard" -------------

Том в устройстве D не имеет метки.
Серийный номер тома: 44C5-C04F

Содержимое папки D:\WINNT\System32


--------- Temp Files in System32 Directory --------

Том в устройстве D не имеет метки.
Серийный номер тома: 44C5-C04F

Содержимое папки D:\WINNT\System32

22.03.2000 23:00 5 709 CONFIG.TMP
1 файлов 5 709 байт
0 папок 11 629 096 960 байт свободно

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{69AB1C5C-92E8-4896-AE20-034F46588FD8}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ATINotify]
"Asynchronous"=dword:00000000
"DllName"="logonnfy.dll"
"Impersonate"=dword:00000000
"Lock"="WLEventConsoleLock"
"Unlock"="WLEventConsoleUnLock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ExtShellViews]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINNT\\system32\\i0420ahoed4c0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


---------------- Xfind Results -----------------

D:\WINNT\System32\CYETCFG.DLL +++ File read error

-------------- Locate.com Results ---------------


D:\WINNT\SYSTEM32\
cyetcfg.dll Sat 11 Dec 2004 19:52:18 ..S.R 225 049 219.77 K
fp8o03~1.dll Sat 11 Dec 2004 0:25:38 ..S.R 224 716 219.45 K
fpjm03~1.dll Sat 11 Dec 2004 10:23:54 ..S.R 225 049 219.77 K
fpn003~1.dll Fri 10 Dec 2004 20:29:18 ..S.R 223 213 217.98 K
fpn203~1.dll Fri 10 Dec 2004 20:34:22 ..S.R 224 633 219.37 K
hrr205~1.dll Fri 10 Dec 2004 20:47:04 ..S.R 224 928 219.66 K
i0420a~1.dll Sat 11 Dec 2004 10:36:08 ..S.R 225 049 219.77 K
k6lq0g~1.dll Fri 10 Dec 2004 20:43:08 ..S.R 225 169 219.89 K
l40u0e~1.dll Fri 10 Dec 2004 21:57:02 ..S.R 225 537 220.25 K
lvlq09~1.dll Sat 11 Dec 2004 19:52:18 ..S.R 225 588 220.30 K
mfpdox35.dll Fri 10 Dec 2004 19:57:18 ..S.R 223 213 217.98 K
mvnml9~1.dll Fri 10 Dec 2004 20:52:34 ..S.R 225 792 220.50 K
nuwks.dll Fri 10 Dec 2004 18:12:06 ..S.R 224 633 219.37 K

13 items found: 13 files, 0 directories.
Total of file sizes: 2 922 569 bytes 2.79 M


#3 Triangle

Triangle
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 12 December 2004 - 06:04 PM

Thanks FIND IT and COMPAREDLL - my computer is clean now.... Will see what happen tomorrow....

Edited by Triangle, 12 December 2004 - 06:04 PM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:40 AM

Posted 16 December 2004 - 05:07 PM

Hi if you are still having a problem:

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site

Then post a new log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users