Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Hijack This Log File . Detailed Specification Of Issue


  • This topic is locked This topic is locked
5 replies to this topic

#1 adam21

adam21

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 23 May 2007 - 10:17 PM

Ok, I just got through running about 5 hours worth of virus/adaware/trojan/worm scans to help get rid of an annoying trojan that has been plaguing me, even despite my multiple attempts at formatting my hard drive.
See, upon completion of my hardrive format and OS re-installation, I was still met with an annoying message prompt about downloading some trojan registry cleaner or other random trojans and spyware messages(I assume they are smitfraud derivitives going by the symptoms and a scan prior to the ones I recently made.).
I've made 5 formatting attempts on my hard drive that I can recall, to get rid of this thing, but to avail.
I even attempted to ran smithfraudfix and smitrem but those don't seem to be allowing me to get rid of this thing(Neither program would scan my registry keys by the way, so I assume that the virus/trojan must be stemming from that category of files.)
So, anyway, I decided to run some fresh back to back scans with Ad-Aware, Spybot, Panda Antivirus, McAfee AVERT Stinger, have enabled my AT&T Yahoo web browser firewall(It seems to block some of the popups, but I'd still like to completely get rid of this trojan.) and even ran my AT&T Yahoo Web Browser's antivirus scan. And the trojan messages are still there, so now I am just posting a HijackThis logfile in the aftermath of all that fixing I attempted.
So that I can get a more specific answer and solution for how to get rid of this trojan.
Sorry if my issue sounds vague, I can elaborate more if you request.

Logfile of HijackThis v1.99.1
Scan saved at 10:05:48 PM, on 5/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Documents and Settings\Emmanuel Adams\Desktop\HiJackThis_v2.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Emmanuel Adams\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179955132236
O20 - Winlogon Notify: avldr - C:\WINNT\
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:22 AM

Posted 24 May 2007 - 09:30 AM

Hi,

I've made 5 formatting attempts on my hard drive that I can recall, to get rid of this thing, but to avail.

I am sorry to hear that you had to format and reinstall Windows all the time to get rid of this issue, while it's actually the messenger service causing this.
This is a known issue on OS like yours or XP versions which are not fully patched, because XP SP2 disables the messenger service by default. This is not a trojan, virus or whatever.. you are just being spammed through the messenger service.

Also read here for more information about the Messenger service and how to disable it:
http://www.microsoft.com/windowsxp/using/s...e/stopspam.mspx

Let me know if that solved your issue.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 adam21

adam21
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 24 May 2007 - 10:05 PM

Hi,

I've made 5 formatting attempts on my hard drive that I can recall, to get rid of this thing, but to avail.

I am sorry to hear that you had to format and reinstall Windows all the time to get rid of this issue, while it's actually the messenger service causing this.
This is a known issue on OS like yours or XP versions which are not fully patched, because XP SP2 disables the messenger service by default. This is not a trojan, virus or whatever.. you are just being spammed through the messenger service.

Also read here for more information about the Messenger service and how to disable it:
http://www.microsoft.com/windowsxp/using/s...e/stopspam.mspx

Let me know if that solved your issue.



Oh THANK THE LORD for responding! I've been asking for advice on multiple other forums for 2 weeks, but no one ever replied or offered any helpful explanation for my problem or logfile. Not even Dell or Microsoft hotline were able to understand the problem and I would read the header of the message and the message itself. I was this close to wasting $127 for some on-call support. So its not a virus? Thank heavens. I access my bank account and manage my business online, so I was paranoid of spyware.
Couple of questions though. Is it normal for the Messenger to pop up when you're not even connected to the internet yet? Because this thing popped up even prior to establishing my connection. I followed the instructions in the helpful link you provided and shut the Messenger service off anyway. Is there a way to test if the disabling has actually taken place also?
Anyway, thank you very very very much for your help! I need to spend more time at this tech support forum, you saved me over 100 dollars my friend.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:22 AM

Posted 25 May 2007 - 03:38 AM

Hi,

No, it's no Virus. Here's a more detailed explanation of what the Messenger service exactly is and how it's being used to send spam for registry cleaners etc.. ( which is a one of the most common spam ) - so the purpose is sending spam, no more, no less.
http://www.grc.com/stm/shootthemessenger.htm
No need to download the "Shoot The Messenger" there, since it does the same as you already did before, and that is disabling the service manually.

Is there a way to test if the disabling has actually taken place also?

Yes, go to start > run and type: services.msc
Scroll to the "Messenger" service and under status, it should be blank now. When you doubleclick the Messenger there, it should also say "status stopped" and startuptype should remain "disabled"

Edited by miekiemoes, 25 May 2007 - 03:39 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:22 AM

Posted 25 May 2007 - 04:12 AM

As a sidenote, you may check and fix next entries in HijackThis since they are not needed/required either:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Check and fix next entry if you don't want http://att.yahoo.com as your startpage: (you can set whatever startpage you want)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com

Check and fix next leftover from Panda:

O20 - Winlogon Notify: avldr - C:\WINNT\
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:22 AM

Posted 04 June 2007 - 05:52 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users