|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
November 24th, 2004, 08:29 PM
|
|||
|
|||
Qhost Problem
The Log File of HijackThis v1.98.2 is
Logfile of HijackThis v1.98.2 Scan saved at 7:41:00 AM, on 11/25/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Analog Devices\SoundMAX\Smtray.exe D:\WINDOWS\myCIO\Agent\myAgtTry.Exe D:\WINDOWS\System32\igfxtray.exe D:\WINDOWS\System32\hkcmd.exe D:\WINDOWS\System32\VTskMgr.exe D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe D:\WINDOWS\System32\inetsrv\inetinfo.exe D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe E:\MICROS~1\MSSQL$~1\binn\sqlservr.exe D:\WINDOWS\myCIO\Agent\myAgtSvc.Exe D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe D:\Program Files\Sify Broadband\BBClient.exe D:\Program Files\Internet Explorer\iexplore.exe D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe E:\New Backup\Softwares\HikackThis 1.98.2\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\McAfee\McAfee VirusScan\VSCShellExtension.dll O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [myCIO.com Splash] D:\WINDOWS\myCIO\VScan\Splash.exe O4 - HKLM\..\Run: [myCIO.com ASaP] D:\WINDOWS\myCIO\Agent\myAgtTry.Exe O4 - HKLM\..\Run: [mcscan] VTskMgr.exe O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [Windows AdControl] D:\Program Files\Windows AdControl\WinAdCtl.exe O4 - HKLM\..\RunServices: [mcscan] VTskMgr.exe O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "D:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{024686DE-AFB4-47CA-9FF9-195006EDF1FB}: NameServer = 202.144.115.4,202.144.66.6 O17 - HKLM\System\CS1\Services\Tcpip\..\{024686DE-AFB4-47CA-9FF9-195006EDF1FB}: NameServer = 202.144.115.4,202.144.66.6 O17 - HKLM\System\CS2\Services\Tcpip\..\{024686DE-AFB4-47CA-9FF9-195006EDF1FB}: NameServer = 202.144.115.4,202.144.66.6 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - D:\WINDOWS\myCIO\Agent\myRmProt2.7.1.248.dll Anyone can tell what is wrong ?????
|
|
#2
November 26th, 2004, 09:19 PM
|
|||
|
|||
|
Hi melvis_vaz,
You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis. Logoff your internet connection. Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed. O4 - HKLM\..\Run: [Windows AdControl] D:\Program Files\Windows AdControl\WinAdCtl.exe Do you have any idea what this program is? I can't find much information on it: O4 - HKLM\..\Run: [mcscan] VTskMgr.exe ??????? O4 - HKLM\..\RunServices: [mcscan] VTskMgr.exe These are resource hogs that can be fixed also: O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE Next... Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode. Make sure your computer is configured to show all files and folders. Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders. Uncheck hide extensions for known file types. Uncheck the Hide Protected Operating System Files option. Click Yes to confirm. Click OK. Search for and delete the following folder: D:\Program Files\Windows AdControl < the entire Windows AdControl folder Next.... Go to Start > Run > type "cleanmgr" (without the quotes). > Select the drive to clean up (usually C ) > Place a checkmark next to the following: Temporary Internet Files Recycle Bin Temporary Files Then click OK. Reboot normally. Next... Perform an onlne virus scan from this site: Trend Micro Housecall - Select all of your drives to be scanned. Please check "Auto clean" before scanning. http://housecall.trendmicro.com/ If you can, copy and paste the report logs from the scan into your next post. Please post a fresh HijackThis log. Tom
__________________
HijackThis Ad-aware Spybot Search & Destroy SpywareBlaster SpywareGuard Housecall Online A/V Scan Please read the stickys at the top of the forum before posting!
|
|
#3
November 27th, 2004, 05:42 AM
|
|||
|
|||
|
Logfile of HijackThis v1.98.2
Scan saved at 5:07:05 PM, on 11/27/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\System32\VTskMgr.exe D:\WINDOWS\System32\inetsrv\inetinfo.exe D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe E:\MICROS~1\MSSQL$~1\binn\sqlservr.exe D:\WINDOWS\myCIO\Agent\myAgtSvc.Exe D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe D:\WINDOWS\system32\javahw32.exe D:\WINDOWS\system32\rundll32.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Analog Devices\SoundMAX\Smtray.exe D:\WINDOWS\System32\igfxtray.exe D:\WINDOWS\System32\hkcmd.exe D:\WINDOWS\myCIO\Agent\myagttry.exe D:\WINDOWS\System32\dllhost.exe D:\WINDOWS\System32\inetsrv\DavCData.exe E:\New Backup\Softwares\HikackThis 1.98.2\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\havjs.dll/sp.html#11111 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\system32\havjs.dll/sp.html#11111 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\system32\havjs.dll/sp.html#11111 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\havjs.dll/sp.html#11111 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\system32\havjs.dll/sp.html#11111 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\system32\havjs.dll/sp.html#11111 R3 - Default URLSearchHook is missing O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - D:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [Windows AdControl] D:\Program Files\Windows AdControl\WinAdCtl.exe O4 - HKLM\..\Run: [myCIO.com ASaP] D:\WINDOWS\myCIO\Agent\myagttry.exe O4 - HKLM\..\Run: [myCIO.com Splash] D:\WINDOWS\myCIO\VScan\Splash.exe O4 - HKLM\..\Run: [mfckh.exe] D:\WINDOWS\system32\mfckh.exe O4 - HKLM\..\Run: [BullsEye Network] D:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [mcscan] VTskMgr.exe O4 - HKLM\..\RunServices: [mcscan] VTskMgr.exe O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "D:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll O15 - Trusted Zone: *.05p.com O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.scoobidoo.com O15 - Trusted Zone: *.searchbarcash.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.xxxtoolbar.com O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101401562484 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (SL Control) - http://static.topconverting.com/activex/sl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{024686DE-AFB4-47CA-9FF9-195006EDF1FB}: NameServer = 202.144.115.4,202.144.66.6 O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - D:\WINDOWS\msopt.dll (file missing) O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - D:\WINDOWS\myCIO\Agent\myRmProt2.8.1.119.dll
|
|
#4
November 27th, 2004, 05:47 AM
|
|||
|
|||
Hi Tom Myboy,
Thanks a lot for u reply. I did all the things u said.I also ran the online scan.It found 3 non cleanable trojan , i deleted all the files.I could not save the log ,as there was no option for that. Below is a fresh log of Hijack scan . This VtskMgr is Mcafee Virus Scan Manager . The CPU is always showing 100% and my pc is sending large no. of packets. I do not know how to solve it now.Can u help me out. Thanks a lot and awaiting u reply. - Melvis Logfile of HijackThis v1.98.2 Scan saved at 5:07:05 PM, on 11/27/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\System32\VTskMgr.exe D:\WINDOWS\System32\inetsrv\inetinfo.exe D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe E:\MICROS~1\MSSQL$~1\binn\sqlservr.exe D:\WINDOWS\myCIO\Agent\myAgtSvc.Exe D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe D:\WINDOWS\system32\javahw32.exe D:\WINDOWS\system32\rundll32.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Analog Devices\SoundMAX\Smtray.exe D:\WINDOWS\System32\igfxtray.exe D:\WINDOWS\System32\hkcmd.exe D:\WINDOWS\myCIO\Agent\myagttry.exe D:\WINDOWS\System32\dllhost.exe D:\WINDOWS\System32\inetsrv\DavCData.exe E:\New Backup\Softwares\HikackThis 1.98.2\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\havjs.dll/sp.html#11111 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\system32\havjs.dll/sp.html#11111 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\system32\havjs.dll/sp.html#11111 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\havjs.dll/sp.html#11111 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\system32\havjs.dll/sp.html#11111 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\system32\havjs.dll/sp.html#11111 R3 - Default URLSearchHook is missing O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - D:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [Windows AdControl] D:\Program Files\Windows AdControl\WinAdCtl.exe O4 - HKLM\..\Run: [myCIO.com ASaP] D:\WINDOWS\myCIO\Agent\myagttry.exe O4 - HKLM\..\Run: [myCIO.com Splash] D:\WINDOWS\myCIO\VScan\Splash.exe O4 - HKLM\..\Run: [mfckh.exe] D:\WINDOWS\system32\mfckh.exe O4 - HKLM\..\Run: [BullsEye Network] D:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [mcscan] VTskMgr.exe O4 - HKLM\..\RunServices: [mcscan] VTskMgr.exe O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "D:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll O15 - Trusted Zone: *.05p.com O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.scoobidoo.com O15 - Trusted Zone: *.searchbarcash.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.xxxtoolbar.com O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101401562484 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (SL Control) - http://static.topconverting.com/activex/sl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{024686DE-AFB4-47CA-9FF9-195006EDF1FB}: NameServer = 202.144.115.4,202.144.66.6 O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - D:\WINDOWS\msopt.dll (file missing) O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - D:\WINDOWS\myCIO\Agent\myRmProt2.8.1.119.dll
|
|
#5
November 27th, 2004, 09:44 PM
|
|||
|
|||
|
You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis.
If you have any questions before starting the fix, please don't hesitate to ask! Please go to Start > Control Panel > Add/Remove programs and remove: BullsEye Network Next... Please download CWShredder from Here Save it to a convenient location such as your Desktop. Do not run it yet!!! Next... Download Backdoor.Agent.B Removal Tool from Symantec: http://securityresponse.symantec.co...moval.tool.html Please follow all the instructions provided by Symantec. Please save the log produced by the removal tool. Reboot Run CWShredder: Close ALL browser windows or it may not work! Run CWShredder and select "Fix" (do not just Scan). It will automatically remove the infections. Next... Please download and run LSPFix from here: http://cexx.org/LSPFix.exe On the opening screen, click "I know what I'm doing".. Check all instances of "aklsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish. Next... Logoff your internet connection. Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed. O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O4 - HKLM\..\Run: [Windows AdControl] D:\Program Files\Windows AdControl\WinAdCtl.exe O4 - HKLM\..\Run: [mfckh.exe] D:\WINDOWS\system32\mfckh.exe O4 - HKLM\..\Run: [BullsEye Network] D:\Program Files\BullsEye Network\bin\bargains.exe O15 - Trusted Zone: *.05p.com O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.scoobidoo.com O15 - Trusted Zone: *.searchbarcash.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.xxxtoolbar.com O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (SL Control) - http://static.topconverting.com/activex/sl.cab O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - D:\WINDOWS\msopt.dll (file missing) Next... Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode. Make sure your computer is configured to show all files and folders. Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders. Uncheck hide extensions for known file types. Uncheck the Hide Protected Operating System Files option. Click Yes to confirm. Click OK. Search for and delete the following files: D:\WINDOWS\system32\mfckh.exe Search for and delete the following folders: D:\Program Files\Windows AdControl < delete the entire Windows AdControl folder D:\Program Files\BullsEye Network < delete the entire BullsEye Network folder Next.... Go to Start > Run > type "cleanmgr" (without the quotes). > Select the drive to clean up (usually C ) > Place a checkmark next to the following: Temporary Internet Files Recycle Bin Temporary Files Then click OK. Reboot normally. Is Satyam Infoway your ISP? Just checking to see if you are hijacked. I don't see a firewall running in your log. ZoneAlarm has a free firewall: http://www.zonelabs.com/store/conte...reeDownload.jsp Please post a fresh HijackThis log along with the Symantec removal tool log. Tom
|
|
#6
November 28th, 2004, 08:48 AM
|
|||
|
|||
|
Hi TomBoy,
I ran all the steps u told me .The virus is still there I am sending u logfille of Hijack and there was no virus found for Symantec Backdoor.Agent.B Removal Tool. -Melvis Logfile of HijackThis v1.98.2 Scan saved at 8:16:06 PM, on 11/28/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\system32\rundll32.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Analog Devices\SoundMAX\Smtray.exe D:\WINDOWS\System32\VTskMgr.exe D:\WINDOWS\System32\igfxtray.exe D:\WINDOWS\System32\hkcmd.exe D:\WINDOWS\myCIO\Agent\myagttry.exe D:\WINDOWS\System32\inetsrv\inetinfo.exe D:\WINDOWS\system32\ieck.exe D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe E:\MICROS~1\MSSQL$~1\binn\sqlservr.exe D:\WINDOWS\myCIO\Agent\myAgtSvc.Exe D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe D:\WINDOWS\system32\javahw32.exe D:\WINDOWS\System32\dllhost.exe D:\WINDOWS\System32\inetsrv\DavCData.exe D:\Program Files\Sify Broadband\BBClient.exe D:\Program Files\Internet Explorer\iexplore.exe E:\New Backup\Softwares\HikackThis 1.98.2\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\glsbs.dll/sp.html#11111 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\glsbs.dll/sp.html#11111 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\glsbs.dll/sp.html#11111 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\glsbs.dll/sp.html#11111 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\glsbs.dll/sp.html#11111 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\glsbs.dll/sp.html#11111 R3 - Default URLSearchHook is missing O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O2 - BHO: (no name) - {B78A3B74-89E9-5BA8-08EF-3977908BA3A0} - D:\WINDOWS\system32\mfcqb32.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - D:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [Windows AdControl] D:\Program Files\Windows AdControl\WinAdCtl.exe O4 - HKLM\..\Run: [myCIO.com ASaP] D:\WINDOWS\myCIO\Agent\myagttry.exe O4 - HKLM\..\Run: [myCIO.com Splash] D:\WINDOWS\myCIO\VScan\Splash.exe O4 - HKLM\..\Run: [mfckh.exe] D:\WINDOWS\system32\mfckh.exe O4 - HKLM\..\Run: [BullsEye Network] D:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [mcscan] VTskMgr.exe O4 - HKLM\..\Run: [d3mt.exe] D:\WINDOWS\system32\d3mt.exe O4 - HKLM\..\Run: [ieck.exe] D:\WINDOWS\system32\ieck.exe O4 - HKLM\..\RunServices: [mcscan] VTskMgr.exe O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "D:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O15 - Trusted Zone: *.05p.com O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.scoobidoo.com O15 - Trusted Zone: *.searchbarcash.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.slotch.com O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101401562484 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (SL Control) - http://static.topconverting.com/activex/sl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{024686DE-AFB4-47CA-9FF9-195006EDF1FB}: NameServer = 202.144.115.4,202.144.66.6 O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - D:\WINDOWS\msopt.dll (file missing) O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - D:\WINDOWS\myCIO\Agent\myRmProt2.8.1.119.dll Quote:
|
|
#8
December 1st, 2004, 12:07 PM
|
|||
|
|||
|
Melvis,
Please download GetService.zip: Create a new folder on your desktop and name it Getservice. Download the file below and save it to the Getservice folder. Open the folder, right-click Getservice.zip > Open With > Compressed folders > extract the files to your new Getservice folder > double-click Getservice.bat A text file with all the running services on your machine will open. Please copy and paste the contents of the text file in your next post. http://www.bleepingcomputer.com/fil.../getservice.zip Tom
|
|
#9
December 2nd, 2004, 08:22 PM
|
|||
|
|||
|
Hi,
I had fomatted my C: and D: drive and not E:.and now installed win 2000 professional. The virus is still there , and the CPU also goes 100%.VTskMgr I think is causing the problem which is mcacfee virus tool. Sending u the log of getservices as an attachments - Melvis Quote:
|
|
#10
December 4th, 2004, 02:26 PM
|
|||
|
|||
|
Quote:
Ok, we will have to start over... Please post a fresh HijackThis log. Tom
|
|
#11
December 5th, 2004, 02:49 AM
|
|||
|
|||
|
Quote:
Dear Tom , CPU shows 100% and VTskMgr takes lots of memory.Qhost is not going at all. Sending you the log of Hijack - Melvis Logfile of HijackThis v1.98.2 Scan saved at 8:23:15 PM, on 12/5/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running process |
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
