|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
04-14-2005, 11:34 PM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 6
OS: xp
|
Please, Please help! Hijackthis log!
Here is the log. I did a scan for viruses and it came up with a w32/backdoor.bam in this location: c:\program files\aim\sysfiles\wxbug.exe and it let me delete it from that location but not the other stating that it could not delete or quarantine it. It was I scanned for spyware too. I need to know what to do next. I just don't know where to start.
 Logfile of HijackThis v1.99.1 Scan saved at 11:30:49 PM, on 4/14/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\crypserv.exe c:\program files\cox\applications\app\CurtainsSysSvcNt.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Cox\Applications\app\Prism.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Outlook Express\msimn.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\DOCUME~1\Jennifer\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/CabbagePatchKidsHangout R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/CabbagePatchKidsHangout F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AuthConsoleStart] C:\Program Files\Cox\Applications\app\cox.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326 O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe Last edited by JennieD; 04-14-2005 at 11:36 PM. |
|
     |
| Sponsored Links |
|
04-15-2005, 01:06 AM
|
#2 (permalink) |
|
Registered User
Join Date: Sep 2004
Location: Wollongong/Australia
Posts: 4,230
OS: XP pro SP3/Vista Ultimate
|
Hi and welcome to TSF.
I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time.
__________________
Blackduck30 Time is like money and milk, It's always running out Any Donations Help Keep TSF Free For All |
|
|
|
|
04-15-2005, 01:21 AM
|
#3 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 6
OS: xp
|
Thank you! I scanned again for viruses and it said that there was 1 infected file A0019653.exe and the location c:\ system volume. It let me delte it this time. I hope this was not wrong. It is strange because it said the virus was from way back in January and I have scanned for viruses since then and come up with nothing. My computer seems to be working ok but I just want to make sure because there are a couple problems and I want to find out if it's related. I have to go to bed now I will check back in the morning. Thanks again so much!
|
|
|
|
|
04-15-2005, 10:01 PM
|
#5 (permalink) |
|
Registered User
Join Date: Sep 2004
Location: Wollongong/Australia
Posts: 4,230
OS: XP pro SP3/Vista Ultimate
|
Hello JennieD
Sorry for the delay It's the time zone thing  your log looks clean so you can download the program below Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted. Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.
__________________
Blackduck30 Time is like money and milk, It's always running out Any Donations Help Keep TSF Free For All |
|
|
|
|
04-16-2005, 05:00 PM
|
#6 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 6
OS: xp
|
Sorry it took so long but here are the results. I had trouble at first it would start and then stop responding but I got it to work. I did update it before I ran the scan so I don't know why it said to update. I followed the manual instructions. Thanks again for your time. If you need more info please let me know.
14:51:45 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 14:51:45 [Init] Started 16-04-05 14:51:45 Pacific Standard Time (UTC: 8), Internet Time @952.60 14:51:45 [Init] Loading TDS-3 Systems ... 14:51:45 [Init] Token successfully adjusted. 14:51:45 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 14:51:45 [Init] • Plugins : OK. Loaded 13 14:51:45 [Init] • Exec Protection : Not Installed 14:51:45 [Init] WARNING: Your Radius.TD3 database needs to be updated! 14:51:45 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 14:51:45 [Init] Licensed users can use the Update facility from the TDS menu 14:51:46 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 14:52:17 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 14:52:17 [Init] • Systems Initialised [52414 references - 26651 primaries/13539 traces/12224 variants/other] 14:52:17 [Init] Radius Systems loaded. <Databases updated 16-04-2005> 14:52:17 [Init] TDS-3 Ready. <Jennifer@68.8.230.92, 127.0.0.1 - United States> 14:52:17 [Tip Of The Day] Don't eat food at the keyboard! 14:52:17 [TDS] Good afternoon Jennifer. 14:52:26 [Mutex Memory Scan] Started... 14:52:28 [Mutex Memory Scan] Finished (no trojan mutexes found). 14:52:28 [TDS-3] NOTICE - TDS-3 was not properly shut down. 14:52:28 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 14:52:46 [CRC32] Started - verifying 29 files ... 14:52:50 [CRC32] Test finished. 14:56:18 [Memory Scan] Memory scan started, please wait a moment ... 14:56:20 [Memory Scan] Memory scan complete. 14:56:20 [Mutex Memory Scan] Started... 14:56:22 [Mutex Memory Scan] Finished (no trojan mutexes found). 14:56:22 [Trace Scan] Started... 14:57:00 [Trace Scan] Finished. 14:57:00 [ServiceScan] Scanning for services and drivers ... 14:57:12 [ServiceScan] Scanned 299 services and drivers. 14:57:12 [File Scan] Scanning in A:\ ... 14:57:13 [File Scan] Scanned 0 files: 0 alarms in 1.050781 seconds (Avg 1. files/sec) 14:57:13 [File Scan] Scanning in C:\ ... 16:48:34 [File Scan] Scanned 48274 files: 1 alarms in 6680.949 seconds (Avg 8.23 files/sec) 16:48:34 [File Scan] Scanning in D:\ ... 16:48:34 [File Scan] Scanned 0 files: 1 alarms in 0 seconds (Avg -1.#IND files/sec) 16:48:34 [Scan] Finished. here is the alarm, it would not copy to I typed it out. Posative identification[DLL] Adware.MiniBug[dll] c:\program files\aws\weatherbug\minibugtransproter.dll
|
|
|
|
|
04-16-2005, 08:50 PM
|
#7 (permalink) |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3
|
Hi..
Uninstall the following program (if it still exist) Go into HijackThis->Config->Misc.Tools->Open Uninstall manager AWS Open Windows Explorer and delete the whole (Red) folder if listed). c:\program files\aws Post a fresh HJT log when finished.
__________________
Eddy Last edited by Pancake; 04-16-2005 at 08:51 PM. |
|
|
|
|
04-17-2005, 04:08 PM
|
#8 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 6
OS: xp
|
Hi there! Well I did as you instructed however aws was nowhere to be found on the list. I did actually find the folder and I delted it. Here is my new hjt log. Do I need to do anything else?
I am having a problem trying to empty my temporary internet files. It stops responding. No matter what method I try to use to delete them. I finally got them deleted but I had to restart and keep starting over because it would just take forever and I knew something was up because it should not take that long. If this is a problem I should post in another forum then I will I just wondered if it was related or something different. Logfile of HijackThis v1.99.1 Scan saved at 4:04:10 PM, on 4/17/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\crypserv.exe c:\program files\cox\applications\app\CurtainsSysSvcNt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Cox\Applications\app\Prism.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Documents and Settings\Jennifer\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/CabbagePatchKidsHangout R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/CabbagePatchKidsHangout F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AuthConsoleStart] C:\Program Files\Cox\Applications\app\cox.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326 O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe Thank you so much!
Last edited by JennieD; 04-17-2005 at 04:10 PM. |
|
|
|
| Thread Tools | |
|
|
