Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please help!


  • Please log in to reply
1 reply to this topic

#1 nc190proof

nc190proof

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 23 December 2004 - 08:10 PM

someone please help this is really annoying......im pretty good at computers and i still cant figure this out..... here is the log maybe somone can help me get rid of this nasty little bugger.....thanks to all whom help

Logfile of HijackThis v1.99.0
Scan saved at 10:55:38 AM, on 12/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
c:\windows\system32\dllcache\win32\winlogon.exe
c:\windows\system32\dllcache\win32\winlogon.exe
c:\windows\system32\dllcache\win32\csrss.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sysman\Sysman.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\UNZIPPED\hijackthis\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ohb - {F0C08B30-BA30-4FEB-924B-2E250CF0697D} - C:\WINDOWS\System32\siq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: WEBALIZE - {4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} - C:\WINDOWS\System32\webalize.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [Sysman] C:\Program Files\Sysman\Sysman.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kobhrjxq] C:\WINDOWS\hmidrbin.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ukc] C:\WINDOWS\System32\ukc.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Runner.LNK = C:\Program Files\Hypno\Runner.EXE
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NTLOAD - Unknown - c:\windows\system32\dllcache\win32\winlogon.exe
O23 - Service: NTSVCMGR - Unknown - c:\windows\system32\dllcache\win32\winlogon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


m

#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:00 AM

Posted 24 December 2004 - 04:51 AM

Hi

You are using Warez P2P Client. This is not technically malware by itself, but it opens the door for every other nasty program you can think of. I strongly recommend that you remove it.

Please check this file:

c:\windows\system32\dllcache\win32\winlogon.exe <-- this file, in this folder

here: Kaspersky Online Virus Scanner

and here:

http://virusscan.jotti.dhs.org/

Note: there is a legitimate Windows file in the C:\WINDOWS\system32\ folder
C:\WINDOWS\system32\winlogon.exe <-- this file in this folder is legitimate


Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Download Ad-aware SE 1.05: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

O2 - BHO: ohb - {F0C08B30-BA30-4FEB-924B-2E250CF0697D} - C:\WINDOWS\System32\siq.dll

O3 - Toolbar: WEBALIZE - {4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} - C:\WINDOWS\System32\webalize.dll (file missing)

O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [Sysman] C:\Program Files\Sysman\Sysman.exe
O4 - HKLM\..\Run: [kobhrjxq] C:\WINDOWS\hmidrbin.exe
O4 - HKLM\..\Run: [ukc] C:\WINDOWS\System32\ukc.exe

These are suspect. Fix these if c:\windows\system32\dllcache\win32\winlogon.exe <-- this file is bad. Check the file first.
O23 - Service: NTLOAD - Unknown - c:\windows\system32\dllcache\win32\winlogon.exe
O23 - Service: NTSVCMGR - Unknown - c:\windows\system32\dllcache\win32\winlogon.exe

Note: there is a legitimate Windows file in the C:\WINDOWS\system32\ folder
C:\WINDOWS\system32\winlogon.exe <-- this file, in this folder is legitimate


I found no information about this file. If you don't know what it is/does check this entry:
O4 - Startup: Runner.LNK = C:\Program Files\Hypno\Runner.EXE

Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
C:\WINDOWS\System32\siq.dll <-- this file
C:\WINDOWS\System32\webalize.dll <-- this file
C:\WINDOWS\hmidrbin.exe <-- this file
C:\WINDOWS\System32\ukc.exe <-- this file

c:\windows\system32\dllcache\win32\winlogon.exe <-- this file, if it is bad, check the file first
Note: there is a legitimate Windows file in the C:\WINDOWS\system32\ folder
C:\WINDOWS\system32\winlogon.exe <-- this file, in this folder is legitimate

Delete these folders:
C:\Program Files\WindUpdates\ <-- this folder
C:\Program Files\Sysman\ <-- this folder

Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Perform at least 2 online scans.

Perform a full scan here: Trendmicro, check AutoClean and let him remove anything he finds.

Perform a full scan here: Panda Online, follow the instructions on the screed, make sure these are checked:
- Disinfect automatically
- Scan compressed files
- Scan e-mail files
- Neutralize Trojans
and let him remove anything he finds.

Perform a full scan here: BitDefender Free Online Virus Scan
Follow the instructions on the screen.
Tick all the boxes on the left and let him remove anything it findes.

Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users