Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack log


  • Please log in to reply
2 replies to this topic

#1 Hallie

Hallie

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 15 January 2005 - 07:49 AM

Hi! Is there somebody who could help me? I'm posting from a friend's pc because in mine explorer and outlook don't work anymore, I don't know what to do :thumbsup: Thanks a lot guys!!!

Logfile of HijackThis v1.99.0
Scan saved at 13.38.25, on 15/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\winasp.exe
C:\WINDOWS\System32\winfirewall.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\realone.exe
C:\WINDOWS\System32\Botnet.exe
C:\WINDOWS\System32\winsystem32.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\crashes.exe
C:\WINDOWS\System32\spoolvse.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\mmups.exe
C:\WINDOWS\msexploren.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\WINDOWS\sssasasb32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\System32\vpc32.exe
C:\Documents and Settings\XP\Dati applicazioni\tihi.exe
C:\Programmi\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ShellExt\a1sc18h.EXE
C:\Documents and Settings\XP\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...ount_id=1001545
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...ount_id=1001545
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...ount_id=1001545
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\logon.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\Run: [Shell Logon] C:\logon.exe
O4 - HKLM\..\Run: [Windows System32] winsystem32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [u04C
}z[8C:\Programmi\ISTsvc\istsvc.exe] C:\WINDOWS\qyikm.exe
O4 - HKLM\..\Run: [NvCplScan] winasp.exe
O4 - HKLM\..\Run: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\Run: [lamebleep] C:\crashes.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\vlgrw.exe
O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\msexploren.exe /i
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvhug32.exe
O4 - HKLM\..\Run: [sssasasb32] C:\WINDOWS\sssasasb32.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\RunServices: [Windows System32] winsystem32.exe
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O4 - HKLM\..\RunServices: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKLM\..\RunOnce: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Windows System32] winsystem32.exe
O4 - HKCU\..\Run: [NvCplScan] winasp.exe
O4 - HKCU\..\Run: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKCU\..\Run: [start extracting] spoolvse.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [Csau] C:\Documents and Settings\XP\Dati applicazioni\tihi.exe
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKCU\..\RunOnce: [Win32 Firewall Drivers] winfirewall.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYes.../bridge-c46.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD5071D4-4B4B-4402-BCAB-D12CE4F6E8BF}: NameServer = 217.141.110.203 151.99.125.1
O18 - Filter: text/html - {A46AF3BC-8FB4-402F-B925-F149EB1934A4} - C:\Documents and Settings\XP\Impostazioni locali\Dati applicazioni\microsoft\internet explorer\V0.26.dat
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Programmi\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

Edited by Hallie, 15 January 2005 - 11:23 AM.


BC AdBot (Login to Remove)

 


#2 Hallie

Hallie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 15 January 2005 - 11:26 AM

I've also made scans with adaware but the malicious programs seem to regenerate

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:03 AM

Posted 22 January 2005 - 11:39 AM

Hi Hallie.

My apologies for the delay. If you are still having problems please do this:

1. Please run at least two of these online scans:

TrendMicro's HouseCall
ActiveScan
BitDefender

You should try to delete any files that these scanners are unable to clean.

2. Make sure AdAware has been updated, configure it for deep scanning and run it in Safe Mode. How to start Windows in Safe Mode--use the F8 method.

3. Reboot back into normal mode, then please download, update and run a Free anti-trojan

Let it fix whatever it wants to.

4. Scan again with HijackThis and post a new log as a reply to this thread.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users