|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
Stop making mediocre tutorials.The best tutorials are video! Camtasia Studio makes it easy to create engaging, buzz-building screen videos at any size, in any popular format. Download the free trial!
|
|
#1
October 19th, 2004, 08:54 PM
|
|||
|
|||
|
HijackThis Log- Thank you, Jared
Hi, I'm a newbie here at DevShed, but I heard about HijackThis, and I know for a fact that I have some spyware, adware stuff on my comp. I know I have the AproposMedia virus. Here's my HijackThis Log, thank you for your help. (Im OKAY at understanding directions on what to do to remove)
Logfile of HijackThis v1.97.7 Scan saved at 9:27:20 PM, on 10/19/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Dell\Support\Alert\bin\DAMon.exe C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE C:\WINDOWS\System32\pbivktxb.exe C:\WINDOWS\System32\YahooMsgr.exe C:\DOCUME~1\Fred\LOCALS~1\Temp\II22.exe C:\windows\system32\saie.exe C:\WINDOWS\System32\ufalibnt.exe C:\WINDOWS\System32\upnacct.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Grace Ghioto\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.spidersearch.com/frame_results.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.spidersearch.com/frame_results.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.spidersearch.com/frame_results.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.spidersearch.com/frame_results.php R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file) O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll (file missing) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file) O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: ohb - {EB386233-65D7-46DC-A73D-0E02F2F844A9} - C:\WINDOWS\System32\winsps32.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll (file missing) O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O3 - Toolbar: SpiderSearch.com Bar - {1D022C27-3771-4D1D-B1B7-1953E271C6CA} - C:\WINDOWS\System32\winsps32.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42" O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load O4 - HKLM\..\Run: [rtndlxytswplb] C:\WINDOWS\System32\pbivktxb.exe O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe O4 - HKLM\..\Run: [Yahoo Instant Messengar] YahooMsgr.exe O4 - HKLM\..\Run: [UsbD] C:\DOCUME~1\Fred\LOCALS~1\Temp\II22.exe O4 - HKLM\..\Run: [Rxagik] C:\WINDOWS\Meruoq.exe O4 - HKLM\..\Run: [wzptg] C:\WINDOWS\kukge.exe O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe O4 - HKLM\..\Run: [bcn] C:\WINDOWS\bcn.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [p3FW35l] ufalibnt.exe O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKLM\..\RunServices: [Yahoo Instant Messengar] YahooMsgr.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Y0w6RRJ5l] upnacct.exe O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - Startup: Attach!.lnk = C:\WILD\ATTACH.EXE O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Run DAP (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=ea7e55ff27a5b4bd1ddc82a31e2659631caa523313353541f92b5b088229badb8c38288256efa9f5da7ea66744af745554 7acb3f2e85800fc48e5757288f47cfe7:cb8021dd0f788edd3e0cefe6258c0f3f O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {372DC06F-87DD-48D7-BCED-A815965C0164} (iiittt Class) - http://www.traffichog.com/toolbar2/winalot32.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{E922D9B0-59DB-4D41-B6B2-0DCB24D54A35}: NameServer = 208.218.130.4 208.218.130.5 Thank you, once again. The most disturbing thing I'm noticing is a Symantec window, which I think is related to norton antivirus, pops up saying, reading message one of 1, and then if i disconnect from internet it says the message could not be sent because connection was dropped, and then it says I tried to send a message to some random email address with the subject of disturbing things like "Get the 411 on Adult Movies" etc. I dont know  Thank You!!!!
|
|
#2
October 20th, 2004, 06:12 PM
|
|||
|
|||
|
Hi Jared Ghioto,
I agree, you seem to have some virus activity going on... Let's start here: Download Stinger. Save it to your Desktop. Double-click it to start it. Make sure all of your drives are listed in the "Directories to scan" box (C:\ D:\ E:\, etc.). Click the Scan Now button and let it remove anything it finds. http://vil.nai.com/vil/stinger/ Next... Perform an onlne virus scan from this site: Trend Micro Housecall - Again, select all of your drives to be scanned. Please check "Auto clean" before scanning. http://housecall.trendmicro.com/ If you can, copy and paste the report logs from the scans into your next post. Then... Please update HijackThis, you are using an outdated version: Open HijackThis, click Config > Misc Tools > Check for Update online Or download a copy of version 1.98.2 at: http://www.majorgeeks.com/download3155.html Post a fresh log with this new version. Tom
__________________
HijackThis Ad-aware Spybot Search & Destroy SpywareBlaster SpywareGuard Housecall Online A/V Scan Please read the stickys at the top of the forum before posting!
|
|
#3
October 21st, 2004, 04:55 PM
|
|||
|
|||
|
Updated HJT logs, stinger log
Hi Tom. Man I feel like George Bush, but instead this is the war on adware. Since I last posted, I have done some major manual removals. I updated Ad-Aware, and that got rid of an II22 process (malware). I also got rid of nCase and Apropos, but AutoUpdate still lives on, along with CxtPls. I also got Spybot S-D and SpySweeper, both of which picked up a TON of stuff that Ad-Aware didn't. I finally got rid of that dreaded TV Media virus. I had to reboot in safe mode to get rid of it, god that thing was nastie. Well, I think I'm clean, but here are the logs of Stinger, Trend Micro and an updated Hijack This. Stinger actually picked up some profile.exe worm thing, which had been sitting on my dads desktop. I didnt know what the heck it was until now.
Anyway, Here ya go: Logfile of HijackThis v1.98.2 Scan saved at 5:53:22 PM, on 10/21/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Dell\Support\Alert\bin\DAMon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\WINDOWS\System32\imaertrm.exe C:\WINDOWS\System32\immap.exe C:\Program Files\CxtPls\CxtPls.exe C:\Documents and Settings\Elena Ghioto\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/ R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file) O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\CxtPls\CxtPls.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll (file missing) O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42" O4 - HKLM\..\Run: [rtndlxytswplb] C:\WINDOWS\System32\pbivktxb.exe O4 - HKLM\..\Run: [Yahoo Instant Messengar] YahooMsgr.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [p3FW35l] imaertrm.exe O4 - HKLM\..\RunServices: [Yahoo Instant Messengar] YahooMsgr.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [Y0w6RRJ5l] immap.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {372DC06F-87DD-48D7-BCED-A815965C0164} - http://www.traffichog.com/toolbar2/winalot32.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{E922D9B0-59DB-4D41-B6B2-0DCB24D54A35}: NameServer = 208.218.130.4 208.218.130.5 And Heres Stinger: McAfee AVERT Stinger Version 2.4.1.0 built on Oct 14 2004 Copyright (C) 2004 Networks Associates Technology, Inc. All Rights Reserved. Virus data file v1000 created on Oct 14 2004. Ready to scan for 43 viruses, trojans and variants. Scan initiated on Thu Oct 21 17:18:02 2004 C:\Documents and Settings\Fred\Desktop\profile.scr Found the W32/Sdbot.worm.gen.i virus !!! C:\Documents and Settings\Fred\Desktop\profile.scr has been deleted. C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP788\A0145820.scr Found the W32/Sdbot.worm.gen.i virus !!! C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP788\A0145820.scr has been deleted. C:\WINDOWS\SYSTEM32\YahooMsgr.exe Found the W32/Sdbot.worm.gen.i virus !!! C:\WINDOWS\SYSTEM32\YahooMsgr.exe has been deleted. Number of clean files: 66563 Number of infected files: 3 Number of files deleted: 3 And Trend Micro: Picked up TROJ AGENT.AE I stupidly closed out of the IE window before it was done, which closed the scan window (I didnt think it would) but it was almost done. Im curious in the HijackThis log, about that R3 URLSearchHook. I think I read that thats tied in with TV Media. Also, the CxtPls. That looks new. I also managed to get rid of the "saie" virus. I think it was Search Assistant Internet Explorer, tied in with 180 Solutions, nCase, and msbb. Also, I like to see the running proccesses on my computer every day, and several new processes have been running lately, but havnt been picked up by ad-aware. They are CxtPls.exe, AutoUpdate.exe, immap and imaertrm, along with three more that come in and out. The strange thing is that the CxtPls and Auto Update folder are not in my Program Files folder, like it says they are. Internet Explorer has been a little sluggish lately. AND IM STILL GETTING POP UP ADS ON SITES LIKE GOOGLE, THAT DONT GIVE POPUPS! This must be a sign that I still have some adware. Well, thank you for all of your help Tom, Jared Ghioto
|
|
#4
October 22nd, 2004, 02:11 AM
|
||||
|
||||
|
Threads merged. Please keep all the logs from the same problem in the same thread.
|
|
#6
October 22nd, 2004, 11:37 AM
|
|||
|
|||
|
Quote:
Sounds like you have been doing your homework Go to the Control Panel's Add/Remove Programs feature. Select and remove 'AM Server' and 'POP'. Next... You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis. If you have any questions before starting the fix, please don't hesitate to ask! You seem to be infected with the peper/sandboxer trojan: First, download this Peper Trojan uninstaller: http://downloads.subratam.org/Newuninst.exe Double click on 'uninst.exe' and press Uninstall. Let it run and terminate. You must be online to have this work and allow any attempts for the program to connect to internet if your firewall requests access. Next, verify your work by downloading PeperFix tool: http://downloads.subratam.org/PeperFix.exe Save it to your desktop, doubleclick on it, click 'Find and Fix' and let it run. Next... Logoff your internet connection. Please press Ctrl-Alt-Delete and open Task Manager. End the following process by selecting it and pressing the End Process button and clicking Yes to the confirmation message: AutoUpdate.exe imaertrm.exe immap.exe CxtPls.exe Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed. R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file) O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\CxtPls\CxtPls.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O4 - HKLM\..\Run: [rtndlxytswplb] C:\WINDOWS\System32\pbivktxb.exe O4 - HKLM\..\Run: [Yahoo Instant Messengar] YahooMsgr.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [p3FW35l] imaertrm.exe O4 - HKLM\..\RunServices: [Yahoo Instant Messengar] YahooMsgr.exe O4 - HKCU\..\Run: [Y0w6RRJ5l] immap.exe This resource hog can be safely fixed too: O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE Next... Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode. Make sure your computer is configured to show all files and folders. Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders. Uncheck hide extensions for known file types. Uncheck the Hide Protected Operating System Files option. Click Yes to confirm. Click OK. Search for and delete the following files: C:\WINDOWS\System32\imaertrm.exe C:\WINDOWS\System32\immap.exe C:\WINDOWS\System32\pbivktxb.exe YahooMsgr.exe Search for and delete the following folders: C:\Program Files\CxtPls\ C:\Program Files\AutoUpdate\ Next.... Go to Start > Run > type "cleanmgr" (without the quotes). > Select the drive to clean up (usually C ) > Place a checkmark next to the following: Temporary Internet Files Recycle Bin Temporary Files Then click OK. Empty your Recycle Bin. Reboot normally and post a fresh HijackThis log. While waiting for a response from me... You are seriously behind on Windows Updates. This leaves your computer open to many threats. You will just get infected again if you don't install these! Please update Windows and Internet Explorer. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available". http://windowsupdate.microsoft.com/ Tom
|
|
#7
October 22nd, 2004, 03:24 PM
|
|||
|
|||
|
Okay, Looks good, here's a new HJT log
Hi Tom. I did everything that you said, and located everything, deleted everything. The only thing I couldn't locate was pbivktxb in the SYSTEM32 Folder. I searched REGEDIT and I searched the system fr it. I found atrace of it in REGEDIT, and deleted it. I found a prefectch by searching the system and I deleted that. Everything seems to be good, though, no weird processes.
Here's a fresh HJT log Logfile of HijackThis v1.98.2 Scan saved at 4:25:57 PM, on 10/22/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Dell\Support\Alert\bin\DAMon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Elena Ghioto\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42" O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {372DC06F-87DD-48D7-BCED-A815965C0164} - http://www.traffichog.com/toolbar2/winalot32.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{E922D9B0-59DB-4D41-B6B2-0DCB24D54A35}: NameServer = 208.218.130.4 208.218.130.5 I will do some windows updates, I can't believe I let that slip by me. All I can say is THANK YOU for all of your help! Jared Ghioto
|
|
#8
October 23rd, 2004, 02:52 PM
|
|||
|
|||
|
Good work, you computer is clean!!!!
Because you were infected, backups of the malware may be in System Restore. 1 Right-click My Computer, and then click Properties. 2 Click the System Restore tab. 3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box. 4 Click Apply 5 this will delete all existing restore points. Click Yes to do this. 6 Click OK. Reboot 1 Right-click My Computer, and then click Properties. 2 Click the System Restore tab. 3 Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box. 4 Click Apply 5 Click OK. Create a new Restore Point: Start > All Programs > Accessories > System Tools > System Restore > tick Create a Restore Point > Next > enter a name for the Restore Point Creation (Today, Removed Spyware, etc.) > Create > Close. The date and time will automatically be added. Then.... These are tools that will help keep you from getting infected again: SpywareBlaster prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially dangerous sites in InternetExplorer. http://www.javacoolsoftware.com/spywareblaster.html SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. http://www.wilderssecurity.net/spywareguard.html IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer http://mvps.org/winhelp2002/hosts.htm All are very small free programs. Occasionally check for updates. Check for updates for Windows and Internet Explorer every week or so. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available" http://windowsupdate.microsoft.com/ Please take a minute to read: So how did I get infected in the first place? http://forums.net-integration.net/i...?showtopic=3051 Tom
|
|
#9
October 23rd, 2004, 04:11 PM
|
|||
|
|||
|
All Done And Looking Good!
Okay, before you replied to my logs I had already downloaded Spyware Guard and SpywareBlaster, Both of which in my opinion are great additions to the protection programs I have now. I've got an army protecting my computer
I did the system restore thing, and Windows is halfway updated. (XP SP2 is taking forever! 80 mb's on 56k!) I have one quick question about the speed of my computer when logging on to a user name. At my shcool, we have Dells with the same stuff my computer has, actually they run Windows 2000 (128 mb ram etc.) which is less than my comp (I have 128 RAM but XP). Whenever we log on at school, it's like instant... and when I open MS WORD for example, it loads instantaneously. On my computer, though, it takes like 5 minutes to fully load up a users desktop, even when there is no one else logged on, same with MS Word. Any reason why? Thank you so much, I thank you, and my family thanks you... Ill probably be posting more HJT logs just to make sure I'm still clean, though. Thanks again, Jared Ghioto
|
|
#10
October 23rd, 2004, 07:04 PM
|
|||
|
|||
|
Quote:
A lot of it can do with the amount of startup programs your computer has. The computers at school probably do not have as many programs starting up as the average user's computer does. Also, (at most schools) if a computer starts slowing down, has virus' etc. they quickly reimage the computer with a program like Ghost. Stop by for a recheck of your HijackThis log anytime. Tom
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
