Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Please.


  • This topic is locked This topic is locked
2 replies to this topic

#1 Agent86

Agent86

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 25 April 2007 - 12:20 PM

Anything wrong with this?

Logfile of HijackThis v1.99.1
Scan saved at 9:35:54 AM, on 4/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Toshiba\Strata CS\TvWksSvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\DOCUME~1\SUNNY~1.GRO\LOCALS~1\Temp\21007609.exe
C:\Program Files\RightFAX\FaxCtrl.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\WinFSC\Program\fsc.exe
F:\Utilities\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.103.1/auth.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41F328E2-5E46-F5B8-0160-020188931F32} - C:\WINNT\system32\imtqodk.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [UniPrint] C:\PROGRA~1\UniPrint\Client\SetDfltSettings.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wdokbye.dll] C:\WINNT\system32\rundll32.exe "C:\Documents and Settings\Sunny.Grover\Local Settings\Application Data\wdokbye.dll",bpzgoi
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [PID41IER.exe ] C:\WINNT\system32\PID41IER.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\SUNNY~1.GRO\LOCALS~1\Temp\21007609.exe
O4 - HKCU\..\Run: [WinInit] "C:\DOCUME~1\SUNNY~1.GRO\LOCALS~1\Temp\21011265.exe "
O4 - HKCU\..\Run: [taskdir] C:\WINNT\system32\taskdir.exe
O4 - Startup: Launch Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: RightFAX Print-to-Fax Driver.lnk = C:\Program Files\RightFAX\FaxCtrl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.freewayinsurance.com
O15 - Trusted Zone: http://*.i-now.net
O15 - Trusted Zone: http://*.soloinsurance.com
O15 - Trusted Zone: http://*.southcoastinsurance.com
O15 - Trusted Zone: http://*.freewayinsurance.com (HKLM)
O15 - Trusted Zone: http://*.i-now.net (HKLM)
O15 - Trusted Zone: http://*.soloinsurance.com (HKLM)
O15 - Trusted Zone: http://*.southcoastinsurance.com (HKLM)
O15 - Trusted IP range: 192.168.103.1
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://admin.i-now.net/Administrator/controls/ScriptX.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {57F6A6CE-0489-11D4-A139-0000E85F1751} (Pegasus Smartscan Xpress Barcode v3.0) - http://admin.i-now.net/Administrator/Controls/ssxbc30.cab
O16 - DPF: {83EC7951-7494-40E0-BB5A-918EE0A12407} (SCIp.SCIPIC) - http://admin.i-now.net/Administrator/Controls/SCIp.CAB
O16 - DPF: {904554CA-BFE4-422D-9194-B0256D0C432A} (SCIViewer.SCIImage) - http://admin.i-now.net/Administrator/Controls/SCIImage.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://quicksilver.mercuryinsurance.com/engine/isetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = frwy103.corp.frwy.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = frwy103.corp.frwy.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = frwy103.corp.frwy.local
O20 - AppInit_DLLs: C:\WINNT\system32\svch6wu.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\
O21 - SSODL: SvcSys - {FB9DA508-979C-4160-952E-0391440A0866} - svcsys.dll (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: TeleVantage Workstation Service (TvWksSvc) - Artisoft Inc. - C:\Program Files\Common Files\Toshiba\Strata CS\TvWksSvc.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:46 PM

Posted 01 May 2007 - 05:56 AM

Hello,

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Actually, it doesn't suprise me at all that this computer is so terribly infected. When dealing with malware or prevent malware, you should at least install any protection. Unfortunately I notice from your log that you didn't do an effort to scan with an Antivirus first since I see your Norton was most probably uninstalled.

So, this really doesn't make sense that we try to clean this up while a scanner should be able to delete and disinfect most (since you are most probably also dealing with a file infector here :thumbsup: )

So, Install an Antivirus and Firewall first...

Avira, AVG OR Active Virus Shield (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Comodo OR Kerio are FREE firewalls.

Understanding and using firewalls

Then run a full scan with your Antivirus and let it delete/disinfect anything it is finding.
Then reboot.

After reboot, post a new HijackThislog in your next reply, then we can start from there.

As a sidenote - since this system is so terribly infected, keep in mind that there's a possibility that the only way to solve your problem properly is to perform a format and reinstall. This because some malware you are dealing with (+ fileinfector) damages a lot and not all damage can be fixed.
Also, please change all your passwords from another clean computer (not this one), since they are known.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:46 PM

Posted 08 May 2007 - 04:22 PM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users