Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blinking Hourglass At The Side Of The Cursor


  • Please log in to reply
1 reply to this topic

#1 sanjay.pandita111

sanjay.pandita111

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 24 April 2007 - 11:19 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:08:45 AM, on 4/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitComet\BitComet.exe
C:\Documents and Settings\sanju\Desktop\hijackthis_sfx.exe
C:\Documents and Settings\sanju\Desktop\hijk\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: MSEvents Object - {0309638F-93F8-44D3-84CF-240EB1AB7F1F} - C:\WINDOWS\system32\efcaaxx.dll (file missing)
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: (no name) - {54439B06-CEC2-42AE-8F05-F93373C40558} - C:\WINDOWS\system32\woyejvkn.dll
O2 - BHO: (no name) - {5E50480E-40AB-440F-959B-8E6E3FDBFBDA} - C:\WINDOWS\system32\awvts.dll (file missing)
O2 - BHO: (no name) - {6DCDF367-A9AD-49EC-A50A-C3CE50A5728D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: MSEvents Object - {8B40795B-DD1E-4A0F-8949-1D34A1A2B600} - C:\WINDOWS\system32\ljhef.dll (file missing)
O2 - BHO: MSEvents Object - {AED24E9D-C94F-4D21-A0AD-0934F3C1F78E} - C:\WINDOWS\system32\tusrq.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm075YYIN
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{99AC30C1-CBD4-48E4-838F-5E983C3A3180}: NameServer = 85.255.116.120
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.120 85.255.112.235
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.120 85.255.112.235
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.120 85.255.112.235
O20 - Winlogon Notify: efcaaxx - efcaaxx.dll (file missing)
O20 - Winlogon Notify: ljhef - C:\WINDOWS\system32\ljhef.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: tusrq - C:\WINDOWS\system32\tusrq.dll (file missing)
O20 - Winlogon Notify: tuvsstt - tuvsstt.dll (file missing)
O20 - Winlogon Notify: winkvs32 - C:\WINDOWS\SYSTEM32\winkvs32.dll
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:11 AM

Posted 25 April 2007 - 10:24 PM

Please download AVG Anti-Spyware:
http://www.ewido.net/en/download/
Locate the icon on the Desktop and double-click it to launch the program.

Now, update the definition files:
On the main screen select Update, and then select the Update Now link.
Next, select the Start Update button
(The update starts and a progress bar shows the updates installed.)

Once the update completes select: Scanner (the top of the screen)
Select the Settings tab
Once in the Settings screen click on: Recommended actions
Select: Quarantine
Under: Reports, select: Automatically generate report after every scan
Un-Select: Only if threats were found

Close AVG AS for now. We will use it later after removing some of the malware entries on your log.

~~~~
Next, download FixWareOut from one of these sites:
http://downloads.subratam.org/Fixwareout.exe

Save it to the Desktop and run it.
Click Next, then Install, and make sure Run fixit is checked
Click: Finish

The program starts; follow the prompts.
If a security alert appears, allow the program to run.
When asked to reboot the computer, please do.
If the system takes longer than usual to load, this is normal.

When the Desktop loads a text opens: report.txt. You will need to post this.

~~~~
Now, make sure all windows are closed and run HijackThis
-Click on Config
-Click on Misc Tools
-Click on Delete a File on Reboot
-In the File Name field of the Enter File to be Deleted window, copy/paste:

C:\WINDOWS\SYSTEM32\winjks32.dll

-Press the Open button
(You are notified that the file in question will be deleted on reboot)
Click No when asked whether you want to restart the computer

~~~~
Run HijackThis, Scan
Check box for:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: MSEvents Object - {0309638F-93F8-44D3-84CF-240EB1AB7F1F} - C:\WINDOWS\system32\efcaaxx.dll (file missing)
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - (no file)
O2 - BHO: (no name) - {54439B06-CEC2-42AE-8F05-F93373C40558} - C:\WINDOWS\system32\woyejvkn.dll
O2 - BHO: (no name) - {5E50480E-40AB-440F-959B-8E6E3FDBFBDA} - C:\WINDOWS\system32\awvts.dll (file missing)
O2 - BHO: (no name) - {6DCDF367-A9AD-49EC-A50A-C3CE50A5728D} - (no file)
O2 - BHO: MSEvents Object - {8B40795B-DD1E-4A0F-8949-1D34A1A2B600} - C:\WINDOWS\system32\ljhef.dll (file missing)
O2 - BHO: MSEvents Object - {AED24E9D-C94F-4D21-A0AD-0934F3C1F78E} - C:\WINDOWS\system32\tusrq.dll (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{99AC30C1-CBD4-48E4-838F-5E983C3A3180}: NameServer = 85.255.116.120
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.120 85.255.112.235
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.120 85.255.112.235
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.120 85.255.112.235

O20 - Winlogon Notify: efcaaxx - efcaaxx.dll (file missing)
O20 - Winlogon Notify: ljhef - C:\WINDOWS\system32\ljhef.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: tusrq - C:\WINDOWS\system32\tusrq.dll (file missing)
O20 - Winlogon Notify: tuvsstt - tuvsstt.dll (file missing)
O20 - Winlogon Notify: winkvs32 - C:\WINDOWS\SYSTEM32\winkvs32.dll

Select: Fix checked
Exit HijackThis

~~~~
Restart your computer in Safe Mode:
-When the machine first starts again, tap the F8 key before Windows starts
-You are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
In Safe Mode, launch AVG AS once again
Select: Scanner (at the top)
Select the Scan tab
Click on: Complete System Scan
AVG AS begins the scanning process, and it may take a while.
Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!!

Once the scan is complete, AVG AS lists any infections found.
It also automatically sets the recommended action.
Click: Apply all actions
AVG AS will then display: All actions have been applied

Next select: Reports (at the top)
Select: Save report as (lower left of the screen)
Save the report to a text file in a location where you can find it!
Close AVG AS.

~~~~
Restart the computer.

~~~~
Please provide the following:
The FixWareout report.txt
The AVG AS report
A new HijackThis log

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users