|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
May 19th, 2005, 08:36 AM
|
|||
|
|||
|
Globolook Infection -HijackThis logfile included
Logfile of HijackThis v1.99.1
Scan saved at 11:01:29 PM, on 5/18/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe c:\windows\system32\jsxswn.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\LimeWire\LimeWire.exe C:\Program Files\AIM\aim.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Lisa\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0276/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe O4 - HKLM\..\Run: [auyivj] c:\windows\system32\jsxswn.exe O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitewvk32.exe O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [iascpx] C:\WINDOWS\System32\iascpx.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O15 - Trusted Zone: *.media-motor.net O15 - Trusted Zone: *.popuppers.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109666064140 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Last edited by oneMSBi : May 19th, 2005 at 10:49 PM.
|
|
#2
May 19th, 2005, 12:48 PM
|
||||
|
||||
|
This would have been better if it had been posted in the Anti-Virus forum. Maybe one of the mods could move it over ?
Also, I think your choice of title could have been a bit better ! 
__________________
The No Ma'am commandments: 1.) It is O.K. to call hooters 'knockers' and sometimes snack trays 2.) It is wrong to be French 3.) It is O.K. to put all bad people in a giant meat grinder 4.) Lawyers, see rule 3 5.) It is O.K. to drive a gas guzzler if it helps you get babes 6.) Everyone should car pool but me 7.) Bring back the word 'stewardesses' 8.) Synchronized swimming is not a sport 9.) Mud wrestling is a sport
|
|
#3
May 19th, 2005, 02:34 PM
|
||||
|
||||
|
Thread moved from Windows Help to Antivirus Protection.
|
|
#4
May 19th, 2005, 05:12 PM
|
|||
|
|||
|
Lisa's Globolook thread!
Guys/Girls!
Sorry I put it in the wrong place! Thanks for moving it to the correct location. Feel free to edit the title of the thread. I was in a hurry at 6 something in the morning leaving for the school where I teach. I improvised a title! I was running on one cylinder at 85 mph! I was also running Counterspy on her pc and the Globolook /Aurora kept stopping the counterspy scan. The websites that are popping up on her pc are graphic porn photos and I'm afraid my 9 year old daughter will walk in there at the wrong time! It's absolutely terrible! Thanks for helping!   
|
|
#5
May 20th, 2005, 12:04 PM
|
||||
|
||||
|
Thanks go to Swandog46 for the writeup!
I strongly suggest you print out next instructions, or save them in notepad, because you'll have a lot of steps to take (in the right order) and you also have to work in safe mode, so this page wouldn't be available then. * Please run Notepad and copy the following text into a new file: Quote:
Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". * Make sure all hidden files and folders are visible (Instructions ) * Please download, install, update and scan your system with the free version of Ewido Security Suite:
* Scan again with HijackThis and check the following items: Quote:
* After checking these items, close all browser windows except HijackThis and click "Fix checked". Stay in Safe Mode * Please double-click on remove.bat. A window should open and close very quickly --- this is normal. * Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. Press OK to remove them. * Start Ewido
* Download FindIt's.zip
Tom
__________________
HijackThis Ad-aware Spybot Search & Destroy SpywareBlaster SpywareGuard Housecall Online A/V Scan Please read the stickys at the top of the forum before posting!
|
|
#6
May 20th, 2005, 05:27 PM
|
|||
|
|||
|
Wow!
Tom, I'm gonna have to do this probably on Memorial day weekend when I've got a large chunk of time! Is there any way a system restore would clear this up? She's in Win XP. Thanks, Jerry
|
|
#7
May 21st, 2005, 12:34 PM
|
||||
|
||||
|
there is no way a system restore by itself, to however early a restore point can clean this up.
__________________
Nigel ..Seeking code free nirvana... Nigel Fernandes Blog Never argue with fools. They will bring you down to their level and beat you with experience. Manchester United Forever  
|
|
#8
May 21st, 2005, 03:02 PM
|
|||
|
|||
|
Quote:
Please keep in mind the longer you wait, the more the infection will morph. The more it morphs, the harder it is going to be to remove. The whole fix should only take you a couple of hours  Tom
|
|
#9
May 31st, 2005, 12:05 AM
|
|||
|
|||
|
Fix attempts!
Hi, I began to implement the procedure recommended above and I got as far as the "Download Ewido Security Suite" step! In Mozilla I got a Timed Out response. When I tried in IE, I got a "the Page cannot be displayed' message! I've put the remove.bat info on the desktop, configured her pc to "show hidden files", and now I'm at a roadblock! Help. What do I do now? Thanks for helping! Is it safe for her to go on the net with the hidden files showing? teacher4u
|
|
#10
May 31st, 2005, 10:34 PM
|
|||
|
|||
|
Quote:
Ewido Security Suite is a key factor in the successful removal of this infection. Please download it on another computer, burn it to CD or thumb drive (if you burn it to CD, it will be changed to a read-only file. After copying it to the infected computer, you may have to right-click the file > select properties and uncheck "Read only) and install it on the infected computer. Let me know how it goes. Tom
|
|
#11
May 31st, 2005, 11:23 PM
|
|||
|
|||
|
Ewido step
I've already burned it on my other daughter's pc! I was wondering if they'd let me update it since it's a free trial. I'll do it and post a followup!
teacher4u
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
